Skip to content

feat(tui): add OIDC authentication support#1405

Merged
TaylorMutch merged 1 commit into
NVIDIA:mainfrom
sjenning:feat/tui-oidc-auth
May 15, 2026
Merged

feat(tui): add OIDC authentication support#1405
TaylorMutch merged 1 commit into
NVIDIA:mainfrom
sjenning:feat/tui-oidc-auth

Conversation

@sjenning
Copy link
Copy Markdown
Contributor

@sjenning sjenning commented May 15, 2026
edited
Loading

Summary

Currently, when logged into a gateway configured with OIDC authn, openshell term fails with missing authorization header.

Add OIDC authentication support to the openshell term TUI. Previously the TUI only worked with mTLS-authenticated gateways — OIDC gateways would silently fail because no bearer token was injected into gRPC requests.

  • Move EdgeAuthInterceptor from openshell-cli to openshell-core to avoid a circular dependency (CLI depends on TUI)
  • TUI now checks gateway metadata for auth mode and loads stored OIDC tokens on both startup and gateway switch
  • Expired tokens surface a clear error directing users to openshell gateway login

Related Issue

N/A

Changes

  • crates/openshell-core/src/auth.rs (new): EdgeAuthInterceptor with new() and noop() constructors
  • crates/openshell-cli/src/tls.rs: Remove interceptor definition, import from openshell_core::auth
  • crates/openshell-cli/src/main.rs: Build interceptor and pass to openshell_tui::run()
  • crates/openshell-tui/src/app.rs: Change client type to OpenShellClient<InterceptedService<Channel, EdgeAuthInterceptor>>
  • crates/openshell-tui/src/lib.rs: run() accepts interceptor; connect_to_gateway() dispatches on auth mode; new build_oidc_channel() and build_mtls_channel() helpers

Testing

  • mise run pre-commit passes
  • Unit tests added/updated
  • E2E tests added/updated (if applicable)
  • Manual: openshell term with mTLS gateway (no regression)
  • Manual: openshell term with OIDC gateway
  • Manual: gateway switching between mTLS and OIDC gateways

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)

@copy-pr-bot
Copy link
Copy Markdown

copy-pr-bot Bot commented May 15, 2026

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@TaylorMutch TaylorMutch self-assigned this May 15, 2026
@TaylorMutch TaylorMutch added the test:e2e Requires end-to-end coverage label May 15, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 15, 2026

Label test:e2e applied, but pull-request/1405 is at {"messa while the PR head is c1802d8. A maintainer needs to comment /ok to test c1802d81760fd66747f88649f2ce4abe194312bf to refresh the mirror. Once the mirror catches up, re-run Branch E2E Checks from the Actions tab.

@TaylorMutch
Copy link
Copy Markdown
Collaborator

TaylorMutch commented May 15, 2026

/ok to test c1802d8

@sjenning
feat(tui): add OIDC authentication support
35a01f4 
Move EdgeAuthInterceptor from openshell-cli to openshell-core so the TUI
can use it without a circular dependency. The TUI now checks gateway
metadata for OIDC auth mode, loads the stored bearer token, and injects
it into gRPC requests via the shared interceptor.

When switching gateways, the TUI dispatches on auth_mode to build either
an mTLS or OIDC-authenticated channel. Expired tokens surface a clear
error directing users to re-authenticate with `openshell gateway login`.
@sjenning sjenning force-pushed the feat/tui-oidc-auth branch from c1802d8 to 35a01f4 Compare May 15, 2026 17:43
@TaylorMutch
Copy link
Copy Markdown
Collaborator

TaylorMutch commented May 15, 2026

/ok to test 35a01f4

@TaylorMutch TaylorMutch merged commit c8bf387 into NVIDIA:main May 15, 2026
35 of 37 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TaylorMutch TaylorMutch TaylorMutch approved these changes

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@maxamillion maxamillion Awaiting requested review from maxamillion maxamillion is a code owner

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr derekwaynecarr is a code owner

Assignees

@TaylorMutch TaylorMutch

Labels

test:e2e Requires end-to-end coverage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sjenning @TaylorMutch