add redirect url

[tuana9a]

Use case

I deployed

• a code-server running http on port 8209
• it behinds a reversed-proxy with SSL termination (ex: nginx, cloudflare tunnel) running https on port 443

I'm accessing it with https://dev2.tuana9a.com from any of mine devices that has a web browser (desktop, tablet, laptop, phone).

In this server I want to use kubelogin to access my internal kubernetes cluster. The kubelogin will listen on port 8000 and that server doesn't have a browser so I skip the open browser step and instead, when the cli run, It should show the url bellow

Please visit the following URL in your browser: https://dev2-8000.tuana9a.com

The vscode-server support exposing port over a custom proxy like

VSCODE_PROXY_URI=https://dev2-{{port}}.tuana9a.com

So that I can go to that url and access the temporary server opened by this oauth2cli and continue the process of authentication.

Current setup only have redirect hostname + port, I think by adding a RedirectUrl and let the user decide it could improve the flexibility of the cli.

If this go through I would love to open my next PR to add this flag --oidc-redirect-url to the kubelogin cli also. The full config look like this

- name: oidc
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://accounts.google.com
      - --oidc-client-id=xxxx-yyy.apps.googleusercontent.com
      - --oidc-client-secret=zzz
      - --skip-open-browser
      - --listen-address=0.0.0.0:8000
      - --oidc-redirect-url=https://dev2-8000.tuana9a.com
      command: kubectl
      env: null
      interactiveMode: IfAvailable
      provideClusterInfo: false

Tests

I have successfully modified the code andI have written e2e test for this usecase and it passed.

Related

This PR may be related to #137 and #117

[int128]

I think the following option may help this issue:

      --oidc-redirect-url-hostname string               [authcode] Hostname of the redirect URL (default "localhost")

[tuana9a]

I have updated the description, I'm deploying:

• vscode-server with http on port 8209
• it behinds a reverse-proxy with https (SSL termination) and port 443

example: https://dev2.tuana9a.com:443 -> http://192.168.56.9:8209 (192.168.56.9 is the ip address of vscode-server)

Using --oidc-redirect-url-hostname is not enough, let say the cli listen on port 8000 the redirectUrl will look like this

http://dev2-8000.tuana9a.com:8000 - which is not correct

the correct should be https://dev2-8000.tuana9a.com:443 as I setup the reversed proxy to forward to http://192.168.56.9:8000

I also will have to open firewall that port 8000 and forward it to the vscode-server inside

as I'm seeing we take the port from the bind address

oauth2cli/server.go

Lines 24 to 26 in 69eb49a

	localServerPort := localServerListener.Addr().(*net.TCPAddr).Port
	localServerURL := constructLocalServerURL(cfg, localServerPort)
	localServerIndexURL, err := localServerURL.Parse("/")

and the https protocol needs to have cert files

oauth2cli/server.go

Lines 50 to 58 in 69eb49a

	if cfg.isLocalServerHTTPS() {
	if err := server.ServeTLS(localServerListener, cfg.LocalServerCertFile, cfg.LocalServerKeyFile); err != nil {
	if errors.Is(err, http.ErrServerClosed) {
	return nil
	}
	return fmt.Errorf("could not start HTTPS server: %w", err)
	}
	return nil
	}

oauth2cli/oauth2cli.go

Lines 108 to 110 in 69eb49a

	func (cfg *Config) isLocalServerHTTPS() bool {
	return cfg.LocalServerCertFile != "" && cfg.LocalServerKeyFile != ""
	}

so I think we have options:

• add more custom (override) flags, ex: --oidc-redirect-url-protocol + --oidc-redirect-url-port
• or as I'm thinking: if the user know the network setup and understand what they are doing, just add the flag --oidc-redirect-url and DIY.

or can you suggest a better alternative? Thanks!