cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon rancher

[Token]: Add OAuth auth code flow for easier authentication

Open binaryoverload opened this issue 1 month ago • 0 comments

When using kubelogin (https://github.com/int128/kubelogin), the default authentication experience opens the user’s browser and runs a local HTTP callback listener to complete the OAuth flow.

This PR brings the same experience to the Rancher CLI, enabling easier Microsoft sign-in compared with the device-code flow (which can be more cumbersome).

Changes

  • Add two new flags to the token command:
    • --oauth-flow - select the OAuth flow (device is the default for backwards compatibility; authcode enables the browser-based flow)
    • --oauth-callback-port - local port to use for the redirect/callback listener
  • Implement the authorisation-code flow in token. When --oauth-flow=authcode is selected, the command will:
    • start a local HTTP server on the chosen port (localhost callback)
    • construct the OAuth authorisation URL and open it in the user’s browser
    • receive the auth code from the redirect request and exchange it for a token
    • submit that token to Rancher to obtain the cluster authentication token

AI Disclaimer

The bulk of this PR was drafted with GitHub Copilot (as indicated by the commit author), then manually reviewed and tested by me.

binaryoverload avatar Jan 12 '26 13:01 binaryoverload