Context
The current auth/oidc package provides only the OIDC/PKCE browser flow for token acquisition. It's incomplete — no token storage, no refresh, no HTTP client integration. No raystack project uses it.
Meanwhile, every raystack CLI (frontier, compass, guardian) connects to APIs without authentication, which only works in development/trusted environments. Production APIs require auth, and CLIs have no way to authenticate.
Proposed solution
A complete CLI auth package following the pattern of gh auth login, gcloud auth login, and terraform login:
// Login — opens browser, does OIDC, stores token
auth.Login(ctx, auth.Config{
Issuer: "https://accounts.google.com",
ClientID: "...",
RedirectURL: "http://localhost:5454",
})
// Token — reads stored token, refreshes if expired
token, err := auth.Token(ctx)
// Client — returns http.Client that auto-attaches the token
client := auth.Client(ctx)Components
- Token acquisition — browser-based OIDC with PKCE (existing code from dropped
auth/oidc)
- Token storage — secure local storage at
~/.config/raystack/<app>/token.json
- Token refresh — auto-refresh expired tokens using refresh_token
- HTTP client —
http.RoundTripper that reads stored token and attaches to requests
- CLI commands —
LoginCmd() and LogoutCmd() for easy integration with cli.Execute()
Integration with salt/cli
cli.Execute(
cli.Name("frontier"),
cli.Commands(
auth.LoginCmd(authConfig),
auth.LogoutCmd(),
userCmd, groupCmd,
),
)
// In commands:
func newListCmd() *cobra.Command {
return &cobra.Command{
RunE: func(cmd *cobra.Command, args []string) error {
client := auth.Client(cmd)
// make authenticated API calls
},
}
}References
Context
The current
auth/oidcpackage provides only the OIDC/PKCE browser flow for token acquisition. It's incomplete — no token storage, no refresh, no HTTP client integration. No raystack project uses it.Meanwhile, every raystack CLI (frontier, compass, guardian) connects to APIs without authentication, which only works in development/trusted environments. Production APIs require auth, and CLIs have no way to authenticate.
Proposed solution
A complete CLI auth package following the pattern of
gh auth login,gcloud auth login, andterraform login:Components
auth/oidc)~/.config/raystack/<app>/token.jsonhttp.RoundTripperthat reads stored token and attaches to requestsLoginCmd()andLogoutCmd()for easy integration withcli.Execute()Integration with salt/cli
References
auth/oidcpackage (dropped in salt evolution PR refactor: evolve salt into raystack service framework #85) had the PKCE flow