You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When registering a gateway with openshell gateway add https://<endpoint>, the CLI defaults to the Cloudflare Access edge-auth flow. On non-Cloudflare deployments, this hangs for 120 seconds and times out. Users must know about --oidc-issuer to use the OIDC flow.
While #2103 proposes making OIDC the default (simpler, more immediate), auto-detection would provide a seamless experience where gateway add works without any auth flags by querying the gateway for its configuration.
Proposed Design
During gateway add, the CLI queries the gateway's Health or a new metadata endpoint to detect the auth configuration:
gateway add https://<endpoint> (no auth flags)
CLI calls the Health gRPC endpoint (already works without auth)
If the gateway reports OIDC is configured, the CLI extracts the issuer URL and client ID, then starts the OIDC browser flow automatically
If no OIDC is configured and no Cloudflare is detected, display a clear message listing the available options
Server-side change
Extend the HealthResponse (or add a new GatewayInfo RPC) to include the auth mode:
if oidc_issuer.is_none() && !local && !edge_auth {ifletSome(info) = query_gateway_auth_info(&endpoint).await{match info.auth_mode.as_str(){"oidc" => {/* use info.oidc_issuer and info.oidc_client_id */}"unauthenticated" => {/* register as local */}
_ => {/* prompt user */}}}}
Try OIDC discovery on the gateway endpoint: Fetch <endpoint>/.well-known/openid-configuration. Won't work — the gateway doesn't serve OIDC metadata, the IdP does.
Client-side heuristic: Try edge-auth for 5 seconds, fall back to prompting. Fragile and still wastes time.
Agent Investigation
Explored crates/openshell-cli/src/run.rs:940-960 — confirmed gateway_add() has no detection logic, it defaults to edge-auth for any HTTPS endpoint.
Explored crates/openshell-server/src/grpc/health.rs — the Health RPC returns basic status. Adding auth info would be a small extension.
Explored crates/openshell-server/src/cli.rs — the gateway's OIDC config (issuer, audience) is available at startup in the server state.
Problem Statement
When registering a gateway with
openshell gateway add https://<endpoint>, the CLI defaults to the Cloudflare Access edge-auth flow. On non-Cloudflare deployments, this hangs for 120 seconds and times out. Users must know about--oidc-issuerto use the OIDC flow.While #2103 proposes making OIDC the default (simpler, more immediate), auto-detection would provide a seamless experience where
gateway addworks without any auth flags by querying the gateway for its configuration.Proposed Design
During
gateway add, the CLI queries the gateway's Health or a new metadata endpoint to detect the auth configuration:gateway add https://<endpoint>(no auth flags)Server-side change
Extend the
HealthResponse(or add a newGatewayInfoRPC) to include the auth mode:CLI-side change
In
gateway_add(), before starting any auth flow:Alternatives Considered
Make OIDC the default, require
--edge-authfor CF (feat(cli): make OIDC the default auth for HTTPS endpoints, add --edge-auth for Cloudflare #2103): Simpler and more immediate. Doesn't require server-side changes. Recommended as the first step — auto-detection can come later as a refinement.Try OIDC discovery on the gateway endpoint: Fetch
<endpoint>/.well-known/openid-configuration. Won't work — the gateway doesn't serve OIDC metadata, the IdP does.Client-side heuristic: Try edge-auth for 5 seconds, fall back to prompting. Fragile and still wastes time.
Agent Investigation
crates/openshell-cli/src/run.rs:940-960— confirmedgateway_add()has no detection logic, it defaults to edge-auth for any HTTPS endpoint.crates/openshell-server/src/grpc/health.rs— the Health RPC returns basic status. Adding auth info would be a small extension.crates/openshell-server/src/cli.rs— the gateway's OIDC config (issuer, audience) is available at startup in the server state.Related