Webpack served UI functional until kratos self service login

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

Author: ddelnano

k8s/cloud/base/ory_auth/hydra/hydra_config.yaml

@@ -9,9 +9,33 @@ data:
     serve:
       cookies:
         same_site_mode: Strict
+      public:
+        cors:
+          enabled: true
+          allowed_origins:
+            - https://*.${PL_DOMAIN_NAME}
+          allowed_methods:
+            - POST
+            - GET
+            - PUT
+            - PATCH
+            - DELETE
+          allowed_headers:
+            - Authorization
+            - Content-Type
+          exposed_headers:
+            - Content-Type
 
     oidc:
       subject_identifiers:
         supported_types:
           - pairwise
           - public
+      dynamic_client_registration:
+        enabled: true
+        default_scope:
+          - openid
+          - offline
+          - notifications
+          - gist
+          - vizier

k8s/cloud/base/ory_auth/hydra/hydra_deployment.yaml

@@ -122,8 +122,12 @@ spec:
           value: /certs/server.crt
         - name: SERVE_TLS_KEY_PATH
           value: /certs/server.key
+        - name: SERVE_PUBLIC_CORS_ALLOWED_ORIGINS_0
+          value: https://$(PL_DOMAIN_NAME)
+        - name: SERVE_PUBLIC_CORS_ALLOWED_ORIGINS_1
+          value: https://work.$(PL_DOMAIN_NAME)
         - name: PL_WORK_DOMAIN
-          value: work.$(PL_DOMAIN_NAME)
+          value: work.$(PL_DOMAIN_NAME):8080
         - name: PL_OAUTH_DOMAIN
           value: $(PL_WORK_DOMAIN)/oauth
         - name: HYDRA_URL
@@ -161,74 +165,6 @@ spec:
           runAsUser: 10100
           seccompProfile:
             type: RuntimeDefault
-      - name: client-create-or-update
-        imagePullPolicy: IfNotPresent
-        image: docker.io/ddelnano/hydra:v2.3.0-alpine-go1.23@sha256:371daf5cc7477ae607d1011440da784c366b74c7cc8acea2322826b82c789fe1
-        command: ['sh', '-c', 'set -x;
-          echo "Waiting for hydra to be ready";
-          URL="${PL_HYDRA_ADMIN_HOST}/health/ready";
-          until [
-            $(wget --no-check-certificate --spider --quiet --server-response ${URL} 2>&1 |
-              awk ''NR==1{print $2}'') -eq 200
-          ]; do
-            echo "waiting for ${URL}";
-            sleep 2;
-          done;
-
-          count=$(hydra list oauth2-clients -e ${PL_HYDRA_ADMIN_HOST} --skip-tls-verify --format json | jq ".items | length");
-          success=$?;
-          if [ $success -ne 0 ]; then
-            echo "Error checking for existing client";
-            exit 1;
-          fi;
-
-          if [ $count -gt 0 ]; then
-            echo "Client already created";
-            sleep infinity;
-          fi;
-
-          echo "Creating OAuth2 client";
-          hydra create oauth2-client
-             --endpoint ${PL_HYDRA_ADMIN_HOST}
-             --secret "${HYDRA_CLIENT_SECRET}"
-             --format json
-             --skip-tls-verify
-             --grant-type authorization_code
-             --grant-type refresh_token
-             --grant-type implicit
-             --response-type code
-             --response-type id_token
-             --response-type token
-             --scope openid
-             --scope offline
-             --scope notifications
-             --scope gist
-             --scope vizier
-             --redirect-uri "https://${PL_DOMAIN_NAME}/oauth/auth/callback"
-             --redirect-uri "https://work.${PL_DOMAIN_NAME}/auth/callback"
-             --name "pixie-auth-client";
-          sleep infinity;
-        ']
-        envFrom:
-        - configMapRef:
-            name: pl-domain-config
-        - configMapRef:
-            name: pl-ory-service-config
-        env:
-        - name: HYDRA_CLIENT_SECRET
-          valueFrom:
-            secretKeyRef:
-              name: pl-hydra-secrets
-              key: CLIENT_SECRET
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          runAsNonRoot: true
-          runAsUser: 10100
-          seccompProfile:
-            type: RuntimeDefault
       restartPolicy: Always
       volumes:
       - name: config

k8s/cloud/base/ory_auth/kratos/kratos_deployment.yaml

@@ -100,7 +100,7 @@ spec:
         - name: LOG_LEVEL
           value: trace
         - name: PL_WORK_DOMAIN
-          value: work.$(PL_DOMAIN_NAME)
+          value: work.$(PL_DOMAIN_NAME):8080
         - name: PL_OAUTH_DOMAIN
           value: $(PL_WORK_DOMAIN)/oauth
         - name: FRONTEND_URL

src/ui/src/pages/auth/hydra-oauth-provider.ts

@@ -28,14 +28,15 @@ import * as QueryString from 'query-string';
 import { FormField, FormStructure } from 'app/components';
 import { HydraInvitationForm } from 'app/containers/admin/hydra-invitation-form';
 import { HydraButtons, RejectHydraSignup } from 'app/containers/auth/hydra-buttons';
-import { AUTH_CLIENT_ID, AUTH_URI } from 'app/containers/constants';
+import { AUTH_CLIENT_ID, AUTH_URI, OAUTH_PROVIDER } from 'app/containers/constants';
 
 import { CallbackArgs, getSignupArgs, getLoginArgs } from './callback-url';
 
 export const PasswordError = new Error('Kratos identity server error: Password method not found in flows.');
 export const FlowIDError = new Error('Auth server requires a flow parameter in the query string, but none were found.');
 
-const kratosClient = V0alpha2ApiFactory(null, '/oauth/kratos');
+const kratosUri = `${location.protocol}//${location.host}/oauth/kratos`;
+const kratosClient = V0alpha2ApiFactory(null, kratosUri);
 
 // Renders a form with an error and no fields.
 const displayErrorFormStructure = (error: Error): FormStructure => ({
@@ -81,56 +82,190 @@ function nodesToFormFields(nodes: Array<UiNode>): Array<FormField> {
     .filter(node => node);
 }
 
+// Dynamic client registration types
+interface OAuth2Client {
+  client_id: string;
+  client_secret?: string;
+  client_name?: string;
+  redirect_uris?: string[];
+  grant_types?: string[];
+  response_types?: string[];
+  scope?: string;
+  token_endpoint_auth_method?: string;
+}
+
+interface DynamicClientRegistrationResponse extends OAuth2Client {
+  client_id_issued_at?: number;
+  client_secret_expires_at?: number;
+  registration_client_uri?: string;
+  registration_access_token?: string;
+}
+
+// Cache for the dynamically registered client ID
+let cachedClientId: string | null = null;
+
+async function getDynamicClientId(): Promise<string> {
+  // Only use dynamic registration for hydra provider
+  if (OAUTH_PROVIDER !== 'hydra') {
+    return AUTH_CLIENT_ID;
+  }
+
+  // Return cached client ID if available
+  if (cachedClientId) {
+    return cachedClientId;
+  }
+
+  // Use /oauth/hydra prefix which will be stripped by the proxy
+  // Preserve the current port (e.g., :8080 for dev server)
+  const registrationEndpoint = `${window.location.protocol}//${window.location.host}/oauth/hydra/oauth2/register`;
+  console.log(`Dynamic client registration endpoint: ${registrationEndpoint}`);
+  
+  const redirect_uri = `${window.location.protocol}//${window.location.host}/auth/callback`;
+  console.log(`Using redirect URI: ${redirect_uri}`);
+
+  const clientMetadata: Partial<OAuth2Client> = {
+    client_name: 'pixie-auth-client',
+    redirect_uris: [
+      redirect_uri,
+    ],
+    grant_types: ['authorization_code', 'refresh_token', 'implicit'],
+    response_types: ['code', 'id_token', 'token'],
+    scope: 'openid offline notifications gist vizier',
+    token_endpoint_auth_method: 'none',
+  };
+
+  try {
+    const response = await fetch(registrationEndpoint, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Accept': 'application/json',
+      },
+      body: JSON.stringify(clientMetadata),
+    });
+
+    if (!response.ok) {
+      const errorText = await response.text();
+      throw new Error(`Dynamic client registration failed: ${response.status} ${response.statusText} - ${errorText}`);
+    }
+
+    const data: DynamicClientRegistrationResponse = await response.json();
+    
+    if (!data.client_id) {
+      throw new Error('No client_id returned from dynamic registration');
+    }
+
+    // Cache the client ID for future use
+    cachedClientId = data.client_id;
+    
+    console.log('Successfully registered dynamic OAuth2 client:', data.client_id);
+    return data.client_id;
+  } catch (error) {
+    console.error('Failed to register dynamic client:', error);
+    // Fall back to static client ID if dynamic registration fails
+    console.warn('Falling back to static client ID');
+    return AUTH_CLIENT_ID;
+  }
+}
+
 export const HydraClient = {
-  userManager: new UserManager({
-    authority: AUTH_URI,
-    client_id: AUTH_CLIENT_ID,
-    redirect_uri: `${window.location.origin}/auth/callback`,
-    loadUserInfo: false,
-    scope: 'vizier',
-    response_type: 'token',
-  }),
+  userManager: null as UserManager | null,
+  userManagerPromise: null as Promise<UserManager> | null,
+
+  async getUserManager(): Promise<UserManager> {
+    // Return existing manager if available
+    if (this.userManager) {
+      return this.userManager;
+    }
+
+    // Return existing promise if initialization is in progress
+    if (this.userManagerPromise) {
+      return this.userManagerPromise;
+    }
+
+    // Start initialization
+    this.userManagerPromise = (async () => {
+      const clientId = await getDynamicClientId();
+      
+      this.userManager = new UserManager({
+        authority: AUTH_URI,
+        client_id: clientId,
+        redirect_uri: `${window.location.origin}/auth/callback`,
+        loadUserInfo: false,
+        scope: 'vizier',
+        response_type: 'token',
+      });
+
+      return this.userManager;
+    })();
+
+    return this.userManagerPromise;
+  },
 
   loginRequest(): void {
-    this.userManager.signinRedirect({
-      prompt: 'login',
-      state: {
-        redirectArgs: getLoginArgs(),
-      },
+    // Fire and forget - the redirect will happen once the client ID is obtained
+    this.getUserManager().then(userManager => {
+      userManager.signinRedirect({
+        prompt: 'login',
+        state: {
+          redirectArgs: getLoginArgs(),
+        },
+      });
+    }).catch(error => {
+      console.error('Failed to initiate login:', error);
+      // Could potentially show an error to the user here
     });
   },
 
   signupRequest(): void {
-    this.userManager.signinRedirect({
-      prompt: 'login',
-      state: {
-        redirectArgs: getSignupArgs(),
-      },
+    // Fire and forget - the redirect will happen once the client ID is obtained
+    this.getUserManager().then(userManager => {
+      userManager.signinRedirect({
+        prompt: 'login',
+        state: {
+          redirectArgs: getSignupArgs(),
+        },
+      });
+    }).catch(error => {
+      console.error('Failed to initiate signup:', error);
+      // Could potentially show an error to the user here
     });
   },
 
   refetchToken(): void {
-    this.userManager.signinRedirect({
-      state: {
-        redirectArgs: getLoginArgs(),
-      },
+    // Fire and forget - the redirect will happen once the client ID is obtained
+    this.getUserManager().then(userManager => {
+      userManager.signinRedirect({
+        state: {
+          redirectArgs: getLoginArgs(),
+        },
+      });
+    }).catch(error => {
+      console.error('Failed to refetch token:', error);
+      // Could potentially show an error to the user here
     });
   },
 
   handleToken(): Promise<CallbackArgs> {
-    return new Promise<CallbackArgs>((resolve, reject) => {
-      this.userManager.signinRedirectCallback()
-        .then((user) => {
-          if (!user) {
-            reject(new Error('user is undefined, please try logging in again'));
-          }
-          resolve({
-            redirectArgs: user.state.redirectArgs,
-            token: {
-              accessToken: user.access_token,
-            },
-          });
-        }).catch(reject);
+    return new Promise<CallbackArgs>(async (resolve, reject) => {
+      try {
+        const userManager = await this.getUserManager();
+        const user = await userManager.signinRedirectCallback();
+        
+        if (!user) {
+          reject(new Error('user is undefined, please try logging in again'));
+          return;
+        }
+        
+        resolve({
+          redirectArgs: user.state.redirectArgs,
+          token: {
+            accessToken: user.access_token,
+          },
+        });
+      } catch (error) {
+        reject(error);
+      }
     });
   },