coulomb/railiance-platform
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(openbao-ui): handle OIDC callback without Ember popup flow

Browse Source 
OpenBao's Ember UI expects OIDC to complete in a popup and postMessage to
window.opener. The standalone KeyCape login uses a full-page redirect, so the
callback now exchanges the authorization code directly, persists the UI token
in localStorage, and redirects into the vault UI. Unauthenticated /ui/ loads
also redirect to the standalone login page to avoid ?with= bounce loops.
This commit is contained in:
Bernd Worsch
2026-06-19 21:18:34 +02:00
parent 520c7ea2c0
commit 50799938db
8 changed files with 205 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
scripts/openbao-ui-overlay-apply.sh
View File

@@ -27,7 +27,7 @@ if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then
exit 0
fi
for required in overlay.css overlay.js login.css login.html login.js presets.json nginx.conf VERSION; do
for required in overlay.css overlay.js callback.html callback.js login.css login.html login.js presets.json nginx.conf VERSION; do
if [ ! -f "$OVERLAY_DIR/$required" ]; then
echo "missing overlay asset: $OVERLAY_DIR/$required" >&2
exit 1
@@ -47,6 +47,8 @@ $KUBECTL create configmap openbao-ui-overlay \
--namespace "$OPENBAO_NAMESPACE" \
--from-file="$OVERLAY_DIR/overlay.css" \
--from-file="$OVERLAY_DIR/overlay.js" \
--from-file="$OVERLAY_DIR/callback.html" \
--from-file="$OVERLAY_DIR/callback.js" \
--from-file="$OVERLAY_DIR/login.css" \
--from-file="$OVERLAY_DIR/login.html" \
--from-file="$OVERLAY_DIR/login.js" \

12
scripts/openbao-verify-login-overlay.sh
View File

@@ -65,6 +65,18 @@ if grep -Eq 'vault-|engines-dist' <<<"$auth_html"; then
fi
ok "auth page is standalone login.html (no Ember shell)"
callback_html="$(curl -fsS "$BASE_URL/ui/vault/auth/netkingdom/oidc/callback")"
require_pattern \
"OIDC callback serves standalone handler" \
"$callback_html" \
'Signing in with KeyCape|callback.js'
if grep -Eq 'window\.opener\.postMessage|vault-' <<<"$callback_html"; then
err "OIDC callback still serves Ember shell (expected standalone callback.html)"
exit 1
fi
ok "OIDC callback is standalone callback.html (no Ember postMessage flow)"
step "Overlay asset endpoints"
index_html="$(curl -fsS "$BASE_URL/ui/")"
overlay_js="$(curl -fsS "$BASE_URL/ui/platform-overlay/overlay.js")"