[feature] Browser OAuth (PKCE) SSO via /auth#2
Open
christopher-carroll-glean wants to merge 3 commits into
Open
[feature] Browser OAuth (PKCE) SSO via /auth#2christopher-carroll-glean wants to merge 3 commits into
christopher-carroll-glean wants to merge 3 commits into
Conversation
Let users sign in through Glean’s authorization server with the same SSO path as the web app. Tokens live in ~/.gleancode/auth.json; Config.effective_api_token prefers OAuth and refreshes on demand so existing Client API commands work unchanged. Indexing remains on api/indexing tokens only. Default OAuth scopes omit AGENT for compatibility with typical client registrations; override with oauth_scopes in config when allowed. Tests mock token_store in config/client header suites so machines with an existing auth.json stay deterministic. Add .github/pull_request_template.md.
Reduce risk of accidentally committing .env or copied auth.json blobs.
List browser sign-in above token-based /login; link SSO doc and /auth in Shell.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
/login). Many users want the same browser / company SSO experience as the Glean web app./auth login(OAuth 2.1 authorization code + PKCE): tokens live in~/.gleancode/auth.json;Config.effective_api_tokenprefers OAuth and refreshes on demand so existing slash commands stay unchanged. Indexing remains on Glean-issued indexing tokens only. Default OAuth scopes omitAGENTwhere client registrations disallow it (override withoauth_scopesin config when allowed).docs/SSO_OAUTH.md, README First run shows SSO above token-based/login, Shell list includes/auth..gitignorehardening for.env/auth.json;.github/pull_request_template.mdfor future PRs.Test plan
python3 -m unittest discover -s tests -p 'test_*.py' -q(655 tests)/auth login --instance <host>,/auth status,/searchin live modeNotes
main.Made with Cursor