mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sso: support public MCIAS authorize URL for non-Tailnet browsers

Browse Source 
Add [sso].public_url: the browser-facing MCIAS base URL for the SSO
authorize redirect, kept separate from [mcias].server_url (the internal
address used for the server-to-server code exchange). Enables public SSO
without routing internal auth through the edge. Bumps mcdsl to v1.9.0.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-06-11 11:06:43 -07:00
parent bed563fd20
commit ee31dff01e
7 changed files with 48 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
internal/config/config.go
View File

@@ -37,8 +37,16 @@ type MCIASConfig struct {
// SSOConfig holds SSO redirect settings for the web UI.
type SSOConfig struct {
// RedirectURI is the callback URL that MCIAS redirects to after login.
// Must exactly match the redirect_uri registered in MCIAS config.
// Must exactly match the redirect_uri registered in MCIAS config. For
// public (non-Tailnet) browser access this must be the public hostname.
RedirectURI string `toml:"redirect_uri"`
// PublicURL is the browser-facing MCIAS base URL used to build the SSO
// authorize redirect (e.g. "https://mcias.metacircular.net"). When empty,
// the backend [mcias].server_url is used for the redirect too. Set this
// when browsers cannot resolve the internal MCIAS name; the
// server-to-server code exchange still uses [mcias].server_url.
PublicURL string `toml:"public_url"`
}
// WebConfig holds settings for the standalone web UI server (metacrypt-web).

8
internal/webserver/server.go
View File

@@ -175,6 +175,7 @@ func New(cfg *config.Config, logger *slog.Logger) (*WebServer, error) {
if cfg.SSO.RedirectURI != "" {
ssoClient, ssoErr := mcdsso.New(mcdsso.Config{
MciasURL: cfg.MCIAS.ServerURL,
PublicURL: cfg.SSO.PublicURL,
ClientID: "metacrypt",
RedirectURI: cfg.SSO.RedirectURI,
CACert: cfg.MCIAS.CACert,
@@ -183,7 +184,12 @@ func New(cfg *config.Config, logger *slog.Logger) (*WebServer, error) {
return nil, fmt.Errorf("webserver: create SSO client: %w", ssoErr)
}
ws.ssoClient = ssoClient
logger.Info("SSO enabled: redirecting to MCIAS for login", "mcias_url", cfg.MCIAS.ServerURL)
authorizeURL := cfg.SSO.PublicURL
if authorizeURL == "" {
authorizeURL = cfg.MCIAS.ServerURL
}
logger.Info("SSO enabled: redirecting to MCIAS for login",
"authorize_url", authorizeURL, "exchange_url", cfg.MCIAS.ServerURL)
}
if tok := cfg.MCIAS.ServiceToken; tok != "" {