fix(openbao-ui): handle OIDC callback without Ember popup flow

OpenBao's Ember UI expects OIDC to complete in a popup and postMessage to
window.opener. The standalone KeyCape login uses a full-page redirect, so the
callback now exchanges the authorization code directly, persists the UI token
in localStorage, and redirects into the vault UI. Unauthenticated /ui/ loads
also redirect to the standalone login page to avoid ?with= bounce loops.
This commit is contained in:
2026-06-19 21:18:34 +02:00
parent 520c7ea2c0
commit 50799938db
8 changed files with 205 additions and 2 deletions

View File

@@ -65,6 +65,18 @@ if grep -Eq 'vault-|engines-dist' <<<"$auth_html"; then
fi
ok "auth page is standalone login.html (no Ember shell)"
callback_html="$(curl -fsS "$BASE_URL/ui/vault/auth/netkingdom/oidc/callback")"
require_pattern \
"OIDC callback serves standalone handler" \
"$callback_html" \
'Signing in with KeyCape|callback.js'
if grep -Eq 'window\.opener\.postMessage|vault-' <<<"$callback_html"; then
err "OIDC callback still serves Ember shell (expected standalone callback.html)"
exit 1
fi
ok "OIDC callback is standalone callback.html (no Ember postMessage flow)"
step "Overlay asset endpoints"
index_html="$(curl -fsS "$BASE_URL/ui/")"
overlay_js="$(curl -fsS "$BASE_URL/ui/platform-overlay/overlay.js")"