Commit 7fd3448
committed
fix(auth): use datumctl-cli client_id for device-code grant
Our own OIDC client (datum-desktop-app, configured in
datum-cloud/infra apps/datum-iam-system/.../zitadel-setup/pulumi/index.ts)
has only AUTHORIZATION_CODE + REFRESH_TOKEN in its allow-listed
grantTypes. Zitadel correctly rejects the device-code grant against it:
unauthorized_client: grant_type "...device_code" not allowed
datumctl-cli (a sibling OIDC app in the same Zitadel project) already
has DEVICE_CODE in its grantTypes and has stable, well-known IDs in
datumctl's source:
Staging: 325848904128073754
Production: 328728232771788043
Borrow them for the --no-browser path until the planned datumctl
connect plugin ships with its own properly-scoped client. Tokens are
minted by Zitadel against the same project, so downstream Datum API
calls don't care which client minted them. The audience verifier on
id_token_verifier already allows any audience.
Regular `auth login` (browser flow) is unchanged — it stays on the
datum-desktop-app client.1 parent e0ce7c0 commit 7fd3448
3 files changed
Lines changed: 20 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
3 | | - | |
| 3 | + | |
4 | 4 | | |
5 | 5 | | |
6 | 6 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
305 | 305 | | |
306 | 306 | | |
307 | 307 | | |
| 308 | + | |
| 309 | + | |
| 310 | + | |
| 311 | + | |
| 312 | + | |
| 313 | + | |
| 314 | + | |
| 315 | + | |
| 316 | + | |
| 317 | + | |
| 318 | + | |
| 319 | + | |
| 320 | + | |
308 | 321 | | |
| 322 | + | |
| 323 | + | |
| 324 | + | |
| 325 | + | |
309 | 326 | | |
310 | 327 | | |
311 | 328 | | |
312 | 329 | | |
313 | 330 | | |
314 | 331 | | |
315 | 332 | | |
316 | | - | |
| 333 | + | |
317 | 334 | | |
318 | 335 | | |
319 | 336 | | |
| |||
0 commit comments