coulomb/railiance-platform
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(openbao-ui): serve standalone KeyCape login at /ui/vault/auth

Browse Source 
Ember's auth route bounces between ?with=netkingdom/ and ?with=token when
OIDC mounts are hidden from the unauthenticated listing. Bypass Ember on the
bare auth path with a static login page that calls auth_url directly; OIDC
callbacks still proxy to the OpenBao UI.
This commit is contained in:
Bernd Worsch
2026-06-19 21:13:08 +02:00
parent ae4d967481
commit 520c7ea2c0
8 changed files with 225 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
docs/openbao.md
View File

@@ -338,8 +338,11 @@ OPENBAO_TOKEN_FILE=~/.local/openbao/platform-admin.token \
scripts/openbao-tune-auth-listing.sh
```
The login overlay also redirects to `?with=netkingdom/` and starts KeyCape OIDC
directly when the operator clicks **Sign in with KeyCape**.
The gateway serves a standalone KeyCape login page at `/ui/vault/auth` so Ember
never handles the bare auth route (avoids `?with=token` / `?with=netkingdom/`
bounce when OIDC mounts are hidden from the unauthenticated listing). Clicking
**Sign in with KeyCape** calls `auth_url` and redirects to KeyCape directly.
OIDC callbacks under `/ui/vault/auth/<mount>/oidc/` still proxy to the OpenBao UI.
The OpenBao UI redirects the browser to KeyCape at `kc.coulomb.social`, then
returns to: