Feat: implement OIDC flow#1007
Conversation
|
@bupd Please have look at the idea. We may also required changes on harbore-core using existing oidc flow still required still needed few changes like polling state to get the id_token and other details. It's not completed yet but wanted you to have a look and design level decisions. PS: ignore lint for now :) |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #1007 +/- ##
==========================================
- Coverage 10.99% 10.53% -0.46%
==========================================
Files 173 322 +149
Lines 8671 16454 +7783
==========================================
+ Hits 953 1733 +780
- Misses 7612 14509 +6897
- Partials 106 212 +106 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
Suggestion:
Please let me know if you have more suggestion. |
|
@NishchayRajput Had a brief look through this. It looks really really cool! Lastly, which party is validating the trust relationship to the oidc source. Just to confirm: this is governed through OIDC providers that are configured in harbor itself and we just make use of the trusted identity provider from Harbor itself. |
Hey, Thanks @qcserestipy for review. |
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
d532c48 to
a469bf0
Compare
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
…harbor-cli into feat/implement-oidc-flow
Untitled.design.1.mp4Added Refresh Token support. |
There was a problem hiding this comment.
Pull request overview
This PR introduces work-in-progress OIDC login support to harbor-cli, enabling a browser-based authentication flow via Harbor Core, persisting OIDC credentials locally, and using bearer-token auth for subsequent API requests.
Changes:
- Added OIDC login helpers (initiate login, poll for completion, refresh tokens) and corresponding unit tests.
- Extended credential/config model to store OIDC auth metadata (auth-type, id/refresh tokens, expiry) and added token refresh + retry-on-401 support in the Harbor API client.
- Updated
harbor logincommand/docs to add--oidcand tests for the new flag/flow.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/utils/oidc.go | Implements OIDC login initiation, polling, refresh, and URL construction helpers. |
| pkg/utils/oidc_test.go | Adds unit tests covering OIDC login, polling, and refresh behaviors. |
| pkg/utils/config.go | Extends stored credentials for OIDC fields and adds helpers to store/decrypt/update OIDC tokens. |
| pkg/utils/config_test.go | Adds tests for OIDC credential storage + token update/decryption. |
| pkg/utils/client.go | Adds OIDC bearer auth client path, token refresh logic, and retry transport for 401 responses. |
| pkg/utils/client_oidc_internal_test.go | Adds internal tests for JWT expiry parsing and retry transport behavior. |
| cmd/harbor/root/login.go | Adds --oidc flag and RunOIDCLogin flow. |
| cmd/harbor/root/login_test.go | Adds tests for OIDC flag mutual exclusivity and successful OIDC login. |
| doc/man-docs/man1/harbor-login.1 | Documents the new --oidc flag in man pages. |
| doc/cli-docs/harbor-login.md | Documents the new --oidc flag in CLI docs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| return nil, fmt.Errorf("failed to parse OIDC token endpoint: %w", err) | ||
| } | ||
| q := u.Query() | ||
| q.Set("poll_token", pollToken) |
There was a problem hiding this comment.
Using poll_token instead of state as state is exposed in the url and anyone can get the session via that state.
|
not a big fan of
is that the only option to have attach --oidc? |
Yes this can be derived automatically via But besides the oidc flow we also support auth via Best way can be interactive solution which was discussed in this weekly meet that we can have over cc: @Vad1mo |
can we have this flow. keep --oidc etc.
One important not on interactive solution. Make sure interactive is only one of the option, it should work across CI/CD and AI agents using the CLI... |
Yes indeed. Just to summarize the proposed flow:
For AI Agents and CI/CD path flags paths remains covered. |
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>

Description
This pull request adds work-in-progress OIDC login support for
harbor-clitogether with the Harbor Core changes needed to support that flow.The current implementation allows
harbor-clito start an OIDC login through Harbor Core, return a browser login URL plus a CLI-only polling token, poll Harbor Core for completion, store the returned credential locally, and use bearer authentication for later API requests.This change is needed because Harbor currently supports browser-based OIDC login, but
harbor-clidoes not yet have a native OIDC login flow. The current implementation is still being actively worked on and is not final yet.Type of Change
Please select the relevant type.
Changes
harbor login <server> --oidcGET /c/oidc/login?mode=cliGET /c/oidc/cli-token?poll_token=...harbor-cli:auth-typeid-tokenrefresh-tokenexpires-atFlow Diagram
Video
Screencast.from.21-06-26.04.07.57.PM.IST.webm
In case of token expiry cli gives output as