Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Device authorization flow for programmatic access #5083

Open
calderonth opened this issue Apr 23, 2024 · 0 comments
Open

Support Device authorization flow for programmatic access #5083

calderonth opened this issue Apr 23, 2024 · 0 comments
Assignees
@kralicky
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. NeedsProposal

Comments

@calderonth
Copy link

Is your feature request related to a problem? Please describe.
Pomerium only offers the ability to perform programmatic access using the callback flow.

For instance, a localhost listener is started and once the user has performed their authentication to Pomerium, their browser opens the redirect URL to the local listener to finish the authentication and pass the pomerium JWT credentials.
However, in a situation where the programmatic access command is run from a remote host this does not work.

For instance, when running pomerium-cli k8s exec-credential https://myk8sapiserver.example.com whilst being connected over SSH to a remote machine the localhost listener will be opened on the remote machine and the programmatic authentication will fail.

Describe the solution you'd like
One way to solve this is to use the OAuth2 Device Authorization flow where the programmatic client requests a unique code from the IdP and prompts the user to perform the authentication using this code whilst polling the IdP for the result of the authentication. The user follows the links with their browser, perform the authentication, meanwhile the CLI tool which was polling will retrieve the corresponding access/id_token.

I believe Pomerium might have to implement some sort of proxying of the Device Authorization flow in order for this to work smoothly and transparently, this would likely require exposing the .well-known/openid-configuration endpoint so that supported clients can retrieve the necessary endpoints to call for this flow ( token_endpoint and device_authorization_endpoint in the discovery).
Alternatively, the flow could stay fairly custom (especially if a Pomerium JWT is returned instead of an OAuth2 access token/ID_token) but that means that custom clients have to be written (which is acceptable for my use-case with pomerium-cli).

Describe alternatives you've considered
The only way to make the current model work is to use port-forwarding between the endpoint and remote machine, preferrably using a static port-mapping but it gets messy very quickly if hosts are shared between different users.

Additional context
Example flow:

pomerium-cli k8s exec-credential https://myhost.example.com
Please authorize your device by visiting https://idp.company.com/activate?user_code=SRKDZLFS
@kenjenkins kenjenkins added NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. NeedsProposal labels Apr 29, 2024
@kralicky kralicky self-assigned this May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kralicky kralicky

Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. NeedsProposal
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@calderonth @kralicky @kenjenkins