mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sso: support public MCIAS authorize URL for non-Tailnet browsers

Browse Source 
Add [sso].public_url: the browser-facing MCIAS base URL for the SSO
authorize redirect, kept separate from [mcias].server_url (the internal
address used for the server-to-server code exchange). Enables public SSO
without routing internal auth through the edge. Bumps mcdsl to v1.9.0.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-06-11 11:06:43 -07:00
parent bed563fd20
commit ee31dff01e
7 changed files with 48 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
internal/webserver/server.go
View File

@@ -175,6 +175,7 @@ func New(cfg *config.Config, logger *slog.Logger) (*WebServer, error) {
if cfg.SSO.RedirectURI != "" {
ssoClient, ssoErr := mcdsso.New(mcdsso.Config{
MciasURL: cfg.MCIAS.ServerURL,
PublicURL: cfg.SSO.PublicURL,
ClientID: "metacrypt",
RedirectURI: cfg.SSO.RedirectURI,
CACert: cfg.MCIAS.CACert,
@@ -183,7 +184,12 @@ func New(cfg *config.Config, logger *slog.Logger) (*WebServer, error) {
return nil, fmt.Errorf("webserver: create SSO client: %w", ssoErr)
}
ws.ssoClient = ssoClient
logger.Info("SSO enabled: redirecting to MCIAS for login", "mcias_url", cfg.MCIAS.ServerURL)
authorizeURL := cfg.SSO.PublicURL
if authorizeURL == "" {
authorizeURL = cfg.MCIAS.ServerURL
}
logger.Info("SSO enabled: redirecting to MCIAS for login",
"authorize_url", authorizeURL, "exchange_url", cfg.MCIAS.ServerURL)
}
if tok := cfg.MCIAS.ServiceToken; tok != "" {