fix(openbao-ui): serve standalone KeyCape login at /ui/vault/auth

Ember's auth route bounces between ?with=netkingdom/ and ?with=token when
OIDC mounts are hidden from the unauthenticated listing. Bypass Ember on the
bare auth path with a static login page that calls auth_url directly; OIDC
callbacks still proxy to the OpenBao UI.
This commit is contained in:
2026-06-19 21:13:08 +02:00
parent ae4d967481
commit 520c7ea2c0
8 changed files with 225 additions and 5 deletions

View File

@@ -26,6 +26,13 @@ http {
add_header Cache-Control "public, max-age=300";
}
# Standalone KeyCape login page — bypasses Ember auth route and ?with= bounce.
location = /ui/vault/auth {
alias /etc/nginx/overlay/login.html;
default_type text/html;
add_header Cache-Control "no-store";
}
# Static UI bundles and API calls bypass HTML injection and stay compressed.
location ~ ^/(v1|ui/assets|ui/engines-dist|ui/favicon\.svg) {
proxy_pass http://openbao_upstream;