refactor: adopt Duende.IdentityModel.OidcClient for CLI auth (PROT-47)#9
Merged
Conversation
Replace the hand-rolled OAuth code with the certified Duende.IdentityModel.OidcClient library, driving login, refresh, and userinfo through the registry's OIDC discovery document instead of hand-built endpoints and DTOs. - Add Duende.IdentityModel.OidcClient 7.1.0. - Reduce the loopback listener to a thin IBrowser (LoopbackBrowser) and add an OidcClientFactory that targets the registry discovery doc. - Drive login via OidcClient.LoginAsync (PKCE over a loopback redirect, RFC 8252); preserve the --provider shortcut via front-channel identity_provider, plus --no-browser and --timeout. - Drive status refresh/userinfo via RefreshTokenAsync/GetUserInfoAsync. - Slim RegistryClient to the /v1/meta compatibility check; keep the file-based credential store (~/.protostar/credentials.json). - Remove the hand-rolled helpers: Pkce, LoopbackServer, the authorize-URL builder, and the token/userinfo DTOs. - Harden headless support: always echo the sign-in URL and skip the browser launch on a display-less Linux/Unix session (no DISPLAY/WAYLAND_DISPLAY). - Fix stale README wording (the store is the credential file, not the OS keychain). Behavior is preserved; all acceptance scenarios stay green on Windows and Linux.
ljones491
approved these changes
Jun 3, 2026
Member
ljones491
left a comment
ljones491
left a comment
There was a problem hiding this comment.
Good call not printing the start URL through Spectre
jackiessb
approved these changes
Jun 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves PROT-47.
What
Replaces the hand-rolled OAuth code in
src/Protostar.Cli/Auth/with the certifiedDuende.IdentityModel.OidcClientlibrary (Apache-2.0, OIDC-certified). Login, refresh, and userinfo now run through the registry's OIDC discovery document (/.well-known/openid-configuration) instead of hand-built endpoints and DTOs. The CLI owns far less protocol code.Changes
Duende.IdentityModel.OidcClient7.1.0.Auth/LoopbackBrowser.cs: a thinIBrowserhosting the one-shot loopbackHttpListeneron/callback(RFC 8252). The only protocol glue left.Auth/OidcClientFactory.cs: buildsOidcClientagainst the registry authority's discovery doc.LoginCommand: drivesOidcClient.LoginAsync. Preserves--provider(front-channelidentity_provider),--no-browser, and--timeout.StatusCommand: refresh + userinfo viaRefreshTokenAsync/GetUserInfoAsync.RegistryClient: slimmed to just the/v1/metaAPI-compatibility check.Pkce,LoopbackServer, the authorize-URL builder, and the token/userinfo DTOs.~/.protostar/credentials.json) and the/v1/metacompat check, exactly as before.Headless ergonomics
DISPLAY/WAYLAND_DISPLAY) the launch attempt is skipped and the URL is printed, closing the gap wherexdg-open"succeeds" with no browser shown.The loopback redirect still requires the browser to share a host with the CLI; true remote-headless (device-code flow) would be a separate registry-side change.
Verification
dotnet build protostar.sln: clean, 0 warnings / 0 errors.dotnet test: 21/21 pass (Reqnroll acceptance + credential-store), Windows.auth --help,auth status(offline),auth login --help, andauth loginagainst an unreachable registry (fails fast on/v1/metabefore opening a browser).