sso: public MCIAS authorize URL + docs

Add [sso].public_url so the browser SSO authorize redirect uses the public MCIAS hostname while the code exchange stays on the internal address (mcdsl v1.9.0). Document the SSO URL split and the rootless-podman / unikernel-eligibility rules in CLAUDE.md. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-11 11:20:50 -07:00
parent 5122e9cd87
commit b48fcc8465
6 changed files with 53 additions and 6 deletions
--- a/internal/webserver/server.go
+++ b/internal/webserver/server.go
@@ -28,7 +28,8 @@ type Config struct {
 	Tags        []string
 	// SSO fields — when RedirectURI is non-empty, the web UI uses SSO instead
 	// of the direct username/password login form.
-	MciasURL    string
+	MciasURL    string // internal MCIAS URL for the server-to-server code exchange
+	PublicURL   string // browser-facing MCIAS URL for the authorize redirect (optional)
 	CACert      string
 	RedirectURI string
 }
@@ -65,6 +66,7 @@ func New(cfg Config, database *db.DB, authenticator *auth.Authenticator, logger
 	if cfg.RedirectURI != "" {
 		ssoClient, err := mcdsso.New(mcdsso.Config{
 			MciasURL:    cfg.MciasURL,
+			PublicURL:   cfg.PublicURL,
 			ClientID:    "mcq",
 			RedirectURI: cfg.RedirectURI,
 			CACert:      cfg.CACert,
@@ -73,7 +75,12 @@ func New(cfg Config, database *db.DB, authenticator *auth.Authenticator, logger
 			return nil, fmt.Errorf("create SSO client: %w", err)
 		}
 		s.ssoClient = ssoClient
-		logger.Info("SSO enabled: redirecting to MCIAS for login", "mcias_url", cfg.MciasURL)
+		authorizeURL := cfg.PublicURL
+		if authorizeURL == "" {
+			authorizeURL = cfg.MciasURL
+		}
+		logger.Info("SSO enabled: redirecting to MCIAS for login",
+			"authorize_url", authorizeURL, "exchange_url", cfg.MciasURL)
 	}

 	return s, nil