Agent Diagnostic
- Explored
crates/openshell-cli/src/auth.rs:158-168 — the timeout handler returns a generic message: "authentication timed out after 120 seconds. Try again with: openshell gateway login".
- Explored
crates/openshell-cli/src/run.rs:1162-1195 — browser_auth_flow() is called for any HTTPS gateway without --oidc-issuer or --local. There is no detection of whether the flow failed because Cloudflare is missing vs. a transient error.
- Verified by deploying on OpenShift without Cloudflare: the timeout message gives no indication that OIDC or
--local would work. Re-running gateway login produces the same timeout.
Description
When the Cloudflare Access edge-auth flow times out (no CF_Authorization cookie arrives after 120 seconds), the CLI displays:
⚠ Authentication skipped: authentication timed out after 120 seconds.
Try again with: openshell gateway login
This message is unhelpful because re-running gateway login produces the same result. The user has no indication that the flow requires Cloudflare Access, or that --oidc-issuer is the correct alternative for non-Cloudflare deployments.
Reproduction Steps
- Deploy the gateway on any Kubernetes cluster without Cloudflare Access
- Run
openshell gateway add https://<endpoint> --gateway-insecure
- Press Enter to open the browser
- Wait 120 seconds
Expected: The timeout message suggests alternatives (OIDC, --local).
Actual:
⚠ Authentication skipped: authentication timed out after 120 seconds.
Try again with: openshell gateway login
Environment
- OS: macOS 15.x (Apple Silicon)
- OpenShift: ROSA HCP 4.21 (Kubernetes 1.34.2)
- OpenShell: CLI v0.0.45
Proposed Fix
Replace the timeout message at crates/openshell-cli/src/auth.rs:163-166 with actionable guidance:
⚠ Authentication timed out. The browser-based login requires a Cloudflare Access
proxy in front of the gateway.
If your gateway uses OIDC authentication, re-register with:
openshell gateway add <endpoint> --oidc-issuer <issuer-url>
If your gateway allows unauthenticated access, re-register with:
openshell gateway add <endpoint> --local
Related
Agent Diagnostic
crates/openshell-cli/src/auth.rs:158-168— the timeout handler returns a generic message: "authentication timed out after 120 seconds. Try again with: openshell gateway login".crates/openshell-cli/src/run.rs:1162-1195—browser_auth_flow()is called for any HTTPS gateway without--oidc-issueror--local. There is no detection of whether the flow failed because Cloudflare is missing vs. a transient error.--localwould work. Re-runninggateway loginproduces the same timeout.Description
When the Cloudflare Access edge-auth flow times out (no
CF_Authorizationcookie arrives after 120 seconds), the CLI displays:This message is unhelpful because re-running
gateway loginproduces the same result. The user has no indication that the flow requires Cloudflare Access, or that--oidc-issueris the correct alternative for non-Cloudflare deployments.Reproduction Steps
openshell gateway add https://<endpoint> --gateway-insecureExpected: The timeout message suggests alternatives (OIDC,
--local).Actual:
Environment
Proposed Fix
Replace the timeout message at
crates/openshell-cli/src/auth.rs:163-166with actionable guidance:Related
debug-openshell-cluster,debug-inference,openshell-cli)