Skip to content

feat(cli): auto-detect OIDC configuration during gateway add #2098

Description

@akram

Problem Statement

When registering a gateway with openshell gateway add https://<endpoint>, the CLI defaults to the Cloudflare Access edge-auth flow. On non-Cloudflare deployments, this hangs for 120 seconds and times out. Users must know about --oidc-issuer to use the OIDC flow.

While #2103 proposes making OIDC the default (simpler, more immediate), auto-detection would provide a seamless experience where gateway add works without any auth flags by querying the gateway for its configuration.

Proposed Design

During gateway add, the CLI queries the gateway's Health or a new metadata endpoint to detect the auth configuration:

  1. gateway add https://<endpoint> (no auth flags)
  2. CLI calls the Health gRPC endpoint (already works without auth)
  3. If the gateway reports OIDC is configured, the CLI extracts the issuer URL and client ID, then starts the OIDC browser flow automatically
  4. If no OIDC is configured and no Cloudflare is detected, display a clear message listing the available options

Server-side change

Extend the HealthResponse (or add a new GatewayInfo RPC) to include the auth mode:

message HealthResponse {
  // existing fields...
  AuthInfo auth_info = N;
}

message AuthInfo {
  string auth_mode = 1;         // "oidc", "edge", "unauthenticated"
  string oidc_issuer = 2;       // populated when auth_mode is "oidc"
  string oidc_client_id = 3;
}

CLI-side change

In gateway_add(), before starting any auth flow:

if oidc_issuer.is_none() && !local && !edge_auth {
    if let Some(info) = query_gateway_auth_info(&endpoint).await {
        match info.auth_mode.as_str() {
            "oidc" => { /* use info.oidc_issuer and info.oidc_client_id */ }
            "unauthenticated" => { /* register as local */ }
            _ => { /* prompt user */ }
        }
    }
}

Alternatives Considered

  1. Make OIDC the default, require --edge-auth for CF (feat(cli): make OIDC the default auth for HTTPS endpoints, add --edge-auth for Cloudflare #2103): Simpler and more immediate. Doesn't require server-side changes. Recommended as the first step — auto-detection can come later as a refinement.

  2. Try OIDC discovery on the gateway endpoint: Fetch <endpoint>/.well-known/openid-configuration. Won't work — the gateway doesn't serve OIDC metadata, the IdP does.

  3. Client-side heuristic: Try edge-auth for 5 seconds, fall back to prompting. Fragile and still wastes time.

Agent Investigation

  • Explored crates/openshell-cli/src/run.rs:940-960 — confirmed gateway_add() has no detection logic, it defaults to edge-auth for any HTTPS endpoint.
  • Explored crates/openshell-server/src/grpc/health.rs — the Health RPC returns basic status. Adding auth info would be a small extension.
  • Explored crates/openshell-server/src/cli.rs — the gateway's OIDC config (issuer, audience) is available at startup in the server state.

Related


  • I've reviewed existing issues and the architecture docs
  • This is a design proposal, not a "please build this" request

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:cliCLI-related workduplicateThis issue or pull request already exists

    Fields

    No fields configured for Enhancement.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions