Skip to content

Add --callback flag to tsh login#35457

Merged
atburke merged 1 commit intomasterfrom
atburke/tsh-login-callback
Jan 9, 2024
Merged

Add --callback flag to tsh login#35457
atburke merged 1 commit intomasterfrom
atburke/tsh-login-callback

Conversation

@atburke
Copy link
Copy Markdown
Contributor

@atburke atburke commented Dec 7, 2023

This change adds the --callback flag to tsh login, which overrides the base URL printed when doing an SSO login. This allows the tsh SSO login flow to be completed on a remote host (as long as the host running tsh is accessible over HTTPS with the given callback url).

Resolves gravitational/customer-sensitive-requests#135.

Changelog: Added --callback flag to tsh login

@github-actions github-actions Bot added size/sm tsh tsh - Teleport's command line tool for logging into nodes running Teleport. labels Dec 7, 2023
@github-actions github-actions Bot requested review from greedy52 and zmb3 December 7, 2023 01:04
@rosstimothy
Copy link
Copy Markdown
Contributor

rosstimothy commented Dec 12, 2023

When I tested this out the browser opens to a page which shows 404 page not found.

rosstimothy
rosstimothy reviewed Dec 12, 2023
View reviewed changes
Comment thread tool/tsh/common/tsh.go Outdated
@atburke
Copy link
Copy Markdown
Contributor Author

atburke commented Dec 12, 2023

When I tested this out the browser opens to a page which shows 404 page not found.

The setup needed for it to work is kind of specific. What flags did you pass to tsh login?

@rosstimothy
Copy link
Copy Markdown
Contributor

rosstimothy commented Dec 13, 2023

When I tested this out the browser opens to a page which shows 404 page not found.

The setup needed for it to work is kind of specific. What flags did you pass to tsh login?

I think when I originally tested this flow that the callback was being served by my local Teleport Proxy. I tried again with nothing listening locally on port 443 with --callback=http://localhost and with --callback=http://alias-to-localhost which resulted in my browser showing This site can’t be reached. This makes sense because tsh is listening on a random port that isn't reflected in the callback. I was able to successfully login via --callback=http://localhost:55823 --bind-addr=127.0.0.1:55823, though I worry it may not be obvious to users that both options might be needed for this to truly work.

@rosstimothy rosstimothy self-requested a review December 13, 2023 14:57
@atburke atburke force-pushed the atburke/tsh-login-callback branch from 5c4124e to 7c72e40 Compare December 13, 2023 21:50
rosstimothy
rosstimothy reviewed Dec 14, 2023
View reviewed changes
Comment thread lib/client/redirect.go Outdated
Comment thread tool/tsh/common/tsh.go
@rosstimothy rosstimothy self-requested a review December 14, 2023 22:10
jentfoo
jentfoo suggested changes Dec 15, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@jentfoo jentfoo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am a little concerned about this change. I believe it's possible to safely introduce this feature, but right now customers could use it without realizing the security implications. I also think the enforcement of an https schema is important.

Please let me know your thoughts, thank you!

Comment thread lib/client/redirect.go Outdated
Comment thread tool/tsh/common/tsh.go Outdated
jentfoo
jentfoo approved these changes Dec 18, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@jentfoo jentfoo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for adding the most recent changes. Given the direct prompt and schema enforcement I feel users can reasonably understand the risks of this feature.

rosstimothy
rosstimothy reviewed Dec 18, 2023
View reviewed changes
Comment thread lib/client/weblogin.go Outdated
@atburke atburke force-pushed the atburke/tsh-login-callback branch from e80ee00 to c96ed0b Compare January 8, 2024 23:59
@atburke
Copy link
Copy Markdown
Contributor Author

atburke commented Jan 9, 2024

Friendly ping @rosstimothy

@atburke
Add callback flag to tsh login
6267d9d 
This change adds the --callback flag to tsh login, which overrides
the base URL printed when doing an SSO login.
@atburke atburke force-pushed the atburke/tsh-login-callback branch from c96ed0b to 6267d9d Compare January 9, 2024 19:15
@atburke atburke enabled auto-merge January 9, 2024 19:15
@atburke atburke added this pull request to the merge queue Jan 9, 2024
Merged via the queue into master with commit d29a6ed Jan 9, 2024
@atburke atburke deleted the atburke/tsh-login-callback branch January 9, 2024 19:51
@public-teleport-github-review-bot
Copy link
Copy Markdown

public-teleport-github-review-bot Bot commented Jan 9, 2024

@atburke See the table below for backport results.

Branch Result
branch/v14 Create PR

This was referenced Jan 9, 2024
Merged
Merged
@webvictim webvictim mentioned this pull request Jun 21, 2024
Closed
@webvictim
Copy link
Copy Markdown
Contributor

webvictim commented Jun 21, 2024

Documentation is missing for this: #43373

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rosstimothy rosstimothy rosstimothy approved these changes

+2 more reviewers

@mdwn mdwn mdwn approved these changes

@jentfoo jentfoo jentfoo approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

size/sm tsh tsh - Teleport's command line tool for logging into nodes running Teleport.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@atburke @rosstimothy @webvictim @mdwn @jentfoo