mc/mcq
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sso: public MCIAS authorize URL + docs

Browse Source 
Add [sso].public_url so the browser SSO authorize redirect uses the
public MCIAS hostname while the code exchange stays on the internal
address (mcdsl v1.9.0). Document the SSO URL split and the rootless-podman
/ unikernel-eligibility rules in CLAUDE.md.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-06-11 11:20:50 -07:00
parent 5122e9cd87
commit b48fcc8465
6 changed files with 53 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
internal/config/config.go
View File

@@ -24,8 +24,16 @@ type Config struct {
// SSOConfig holds SSO redirect settings for the web UI.
type SSOConfig struct {
// RedirectURI is the callback URL that MCIAS redirects to after login.
// Must exactly match the redirect_uri registered in MCIAS config.
// Must exactly match the redirect_uri registered in MCIAS config. For
// public (non-Tailnet) browser access this must be the public hostname.
RedirectURI string `toml:"redirect_uri"`
// PublicURL is the browser-facing MCIAS base URL used to build the SSO
// authorize redirect (e.g. "https://mcias.metacircular.net"). When empty,
// the backend [mcias].server_url is used for the redirect too. Set this
// when browsers cannot resolve the internal MCIAS name; the
// server-to-server code exchange still uses [mcias].server_url.
PublicURL string `toml:"public_url"`
}
// ServerConfig holds HTTP/gRPC server settings. TLS fields are optional;