You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Pomerium only offers the ability to perform programmatic access using the callback flow.
For instance, a localhost listener is started and once the user has performed their authentication to Pomerium, their browser opens the redirect URL to the local listener to finish the authentication and pass the pomerium JWT credentials.
However, in a situation where the programmatic access command is run from a remote host this does not work.
For instance, when running pomerium-cli k8s exec-credential https://myk8sapiserver.example.com whilst being connected over SSH to a remote machine the localhost listener will be opened on the remote machine and the programmatic authentication will fail.
Describe the solution you'd like
One way to solve this is to use the OAuth2 Device Authorization flow where the programmatic client requests a unique code from the IdP and prompts the user to perform the authentication using this code whilst polling the IdP for the result of the authentication. The user follows the links with their browser, perform the authentication, meanwhile the CLI tool which was polling will retrieve the corresponding access/id_token.
I believe Pomerium might have to implement some sort of proxying of the Device Authorization flow in order for this to work smoothly and transparently, this would likely require exposing the .well-known/openid-configuration endpoint so that supported clients can retrieve the necessary endpoints to call for this flow ( token_endpoint and device_authorization_endpoint in the discovery).
Alternatively, the flow could stay fairly custom (especially if a Pomerium JWT is returned instead of an OAuth2 access token/ID_token) but that means that custom clients have to be written (which is acceptable for my use-case with pomerium-cli).
Describe alternatives you've considered
The only way to make the current model work is to use port-forwarding between the endpoint and remote machine, preferrably using a static port-mapping but it gets messy very quickly if hosts are shared between different users.
Additional context
Example flow:
pomerium-cli k8s exec-credential https://myhost.example.com
Please authorize your device by visiting https://idp.company.com/activate?user_code=SRKDZLFS
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
Pomerium only offers the ability to perform programmatic access using the callback flow.
For instance, a localhost listener is started and once the user has performed their authentication to Pomerium, their browser opens the redirect URL to the local listener to finish the authentication and pass the pomerium JWT credentials.
However, in a situation where the programmatic access command is run from a remote host this does not work.
For instance, when running
pomerium-cli k8s exec-credential https://myk8sapiserver.example.com
whilst being connected over SSH to a remote machine the localhost listener will be opened on the remote machine and the programmatic authentication will fail.Describe the solution you'd like
One way to solve this is to use the OAuth2 Device Authorization flow where the programmatic client requests a unique code from the IdP and prompts the user to perform the authentication using this code whilst polling the IdP for the result of the authentication. The user follows the links with their browser, perform the authentication, meanwhile the CLI tool which was polling will retrieve the corresponding access/id_token.
I believe Pomerium might have to implement some sort of proxying of the Device Authorization flow in order for this to work smoothly and transparently, this would likely require exposing the
.well-known/openid-configuration
endpoint so that supported clients can retrieve the necessary endpoints to call for this flow (token_endpoint
anddevice_authorization_endpoint
in the discovery).Alternatively, the flow could stay fairly custom (especially if a Pomerium JWT is returned instead of an OAuth2 access token/ID_token) but that means that custom clients have to be written (which is acceptable for my use-case with
pomerium-cli
).Describe alternatives you've considered
The only way to make the current model work is to use port-forwarding between the endpoint and remote machine, preferrably using a static port-mapping but it gets messy very quickly if hosts are shared between different users.
Additional context
Example flow:
The text was updated successfully, but these errors were encountered: