Lets services point the browser SSO authorize redirect at the public
MCIAS hostname while keeping the server-to-server code exchange on the
internal/Tailnet address (efficient, edge-independent). PublicURL is
optional and falls back to MciasURL.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Firefox does not reliably store Set-Cookie headers on 302 responses
that redirect to a different origin. Change RedirectToLogin to return
a 200 with an HTML meta-refresh instead, ensuring cookies are stored
before navigation.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
SetReturnToCookie stored /sso/redirect as the return-to path,
causing a redirect loop after successful SSO login: the callback
would redirect back to /sso/redirect instead of /. Filter all
/sso/* paths, not just /sso/callback.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New package providing the client side of the MCIAS SSO authorization
code flow. Web services use this to redirect users to MCIAS for login
and exchange the returned authorization code for a JWT.
- Client type with AuthorizeURL() and ExchangeCode() (TLS 1.3 minimum)
- State cookie helpers (SameSite=Lax for cross-site redirect compat)
- Return-to cookie for preserving the original URL across the redirect
- RedirectToLogin() and HandleCallback() high-level helpers
- Full test suite with mock MCIAS server
Security:
- State is 256-bit random, stored in HttpOnly/Secure/Lax cookie
- Return-to URLs stored client-side only (MCIAS never sees them)
- Login/callback paths excluded from return-to to prevent loops
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
