sso: public MCIAS authorize URL + docs

Add [sso].public_url so the browser SSO authorize redirect uses the public MCIAS hostname while the code exchange stays on the internal address (mcdsl v1.9.0). Document the SSO URL split and the rootless-podman / unikernel-eligibility rules in CLAUDE.md. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-11 11:20:50 -07:00
parent 5122e9cd87
commit b48fcc8465
6 changed files with 53 additions and 6 deletions
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -24,8 +24,16 @@ type Config struct {
 // SSOConfig holds SSO redirect settings for the web UI.
 type SSOConfig struct {
 	// RedirectURI is the callback URL that MCIAS redirects to after login.
-	// Must exactly match the redirect_uri registered in MCIAS config.
+	// Must exactly match the redirect_uri registered in MCIAS config. For
+	// public (non-Tailnet) browser access this must be the public hostname.
 	RedirectURI string `toml:"redirect_uri"`
+
+	// PublicURL is the browser-facing MCIAS base URL used to build the SSO
+	// authorize redirect (e.g. "https://mcias.metacircular.net"). When empty,
+	// the backend [mcias].server_url is used for the redirect too. Set this
+	// when browsers cannot resolve the internal MCIAS name; the
+	// server-to-server code exchange still uses [mcias].server_url.
+	PublicURL string `toml:"public_url"`
 }

 // ServerConfig holds HTTP/gRPC server settings. TLS fields are optional;
--- a/internal/webserver/server.go
+++ b/internal/webserver/server.go
@@ -28,7 +28,8 @@ type Config struct {
 	Tags        []string
 	// SSO fields — when RedirectURI is non-empty, the web UI uses SSO instead
 	// of the direct username/password login form.
-	MciasURL    string
+	MciasURL    string // internal MCIAS URL for the server-to-server code exchange
+	PublicURL   string // browser-facing MCIAS URL for the authorize redirect (optional)
 	CACert      string
 	RedirectURI string
 }
@@ -65,6 +66,7 @@ func New(cfg Config, database *db.DB, authenticator *auth.Authenticator, logger
 	if cfg.RedirectURI != "" {
 		ssoClient, err := mcdsso.New(mcdsso.Config{
 			MciasURL:    cfg.MciasURL,
+			PublicURL:   cfg.PublicURL,
 			ClientID:    "mcq",
 			RedirectURI: cfg.RedirectURI,
 			CACert:      cfg.CACert,
@@ -73,7 +75,12 @@ func New(cfg Config, database *db.DB, authenticator *auth.Authenticator, logger
 			return nil, fmt.Errorf("create SSO client: %w", err)
 		}
 		s.ssoClient = ssoClient
-		logger.Info("SSO enabled: redirecting to MCIAS for login", "mcias_url", cfg.MciasURL)
+		authorizeURL := cfg.PublicURL
+		if authorizeURL == "" {
+			authorizeURL = cfg.MciasURL
+		}
+		logger.Info("SSO enabled: redirecting to MCIAS for login",
+			"authorize_url", authorizeURL, "exchange_url", cfg.MciasURL)
 	}

 	return s, nil