mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sso: support public MCIAS authorize URL for non-Tailnet browsers

Browse Source 
Add [sso].public_url: the browser-facing MCIAS base URL for the SSO
authorize redirect, kept separate from [mcias].server_url (the internal
address used for the server-to-server code exchange). Enables public SSO
without routing internal auth through the edge. Bumps mcdsl to v1.9.0.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-06-11 11:06:43 -07:00
parent bed563fd20
commit ee31dff01e
7 changed files with 48 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
internal/config/config.go
View File

@@ -37,8 +37,16 @@ type MCIASConfig struct {
// SSOConfig holds SSO redirect settings for the web UI.
type SSOConfig struct {
// RedirectURI is the callback URL that MCIAS redirects to after login.
// Must exactly match the redirect_uri registered in MCIAS config.
// Must exactly match the redirect_uri registered in MCIAS config. For
// public (non-Tailnet) browser access this must be the public hostname.
RedirectURI string `toml:"redirect_uri"`
// PublicURL is the browser-facing MCIAS base URL used to build the SSO
// authorize redirect (e.g. "https://mcias.metacircular.net"). When empty,
// the backend [mcias].server_url is used for the redirect too. Set this
// when browsers cannot resolve the internal MCIAS name; the
// server-to-server code exchange still uses [mcias].server_url.
PublicURL string `toml:"public_url"`
}
// WebConfig holds settings for the standalone web UI server (metacrypt-web).