Support Device authorization flow for programmatic access #5083
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
NeedsProposal
Is your feature request related to a problem? Please describe.
Pomerium only offers the ability to perform programmatic access using the callback flow.
For instance, a localhost listener is started and once the user has performed their authentication to Pomerium, their browser opens the redirect URL to the local listener to finish the authentication and pass the pomerium JWT credentials.
However, in a situation where the programmatic access command is run from a remote host this does not work.
For instance, when running
pomerium-cli k8s exec-credential https://myk8sapiserver.example.com
whilst being connected over SSH to a remote machine the localhost listener will be opened on the remote machine and the programmatic authentication will fail.Describe the solution you'd like
One way to solve this is to use the OAuth2 Device Authorization flow where the programmatic client requests a unique code from the IdP and prompts the user to perform the authentication using this code whilst polling the IdP for the result of the authentication. The user follows the links with their browser, perform the authentication, meanwhile the CLI tool which was polling will retrieve the corresponding access/id_token.
I believe Pomerium might have to implement some sort of proxying of the Device Authorization flow in order for this to work smoothly and transparently, this would likely require exposing the
.well-known/openid-configuration
endpoint so that supported clients can retrieve the necessary endpoints to call for this flow (token_endpoint
anddevice_authorization_endpoint
in the discovery).Alternatively, the flow could stay fairly custom (especially if a Pomerium JWT is returned instead of an OAuth2 access token/ID_token) but that means that custom clients have to be written (which is acceptable for my use-case with
pomerium-cli
).Describe alternatives you've considered
The only way to make the current model work is to use port-forwarding between the endpoint and remote machine, preferrably using a static port-mapping but it gets messy very quickly if hosts are shared between different users.
Additional context
Example flow:
The text was updated successfully, but these errors were encountered: