Merge pull request #2695 from coreos-inc/oidc-internal-auth

OIDC internal auth support

endpoints/oauth/login.py

@@ -252,6 +252,24 @@ def _register_service(login_service):
     auth_url = login_service.get_auth_url(app.config, '', csrf_token, login_scopes)
     return redirect(auth_url)
 
+  @require_session_login
+  @oauthlogin_csrf_protect
+  def cli_token_func():
+    # Check for a callback error.
+    error = request.args.get('error', None)
+    if error:
+      return _render_ologin_error(login_service.service_name(), error)
+
+    # Exchange the OAuth code for the ID token.
+    code = request.args.get('code')
+    try:
+      idtoken, _ = login_service.exchange_code_for_tokens(app.config, client, code, '/cli')
+    except OAuthLoginException as ole:
+      return _render_ologin_error(login_service.service_name(), ole.message)
+
+    user_obj = get_authenticated_user()
+    return redirect(url_for('web.user_view', path=user_obj.username, tab='settings',
+                            idtoken=idtoken))
 
   oauthlogin.add_url_rule('/%s/callback/captcha' % login_service.service_id(),
                           '%s_oauth_captcha' % login_service.service_id(),
@@ -268,6 +286,11 @@ def _register_service(login_service):
                           attach_func,
                           methods=['GET'])
 
+  oauthlogin.add_url_rule('/%s/callback/cli' % login_service.service_id(),
+                          '%s_oauth_cli' % login_service.service_id(),
+                          cli_token_func,
+                          methods=['GET'])
+
 # Register the routes for each of the login services.
 for current_service in oauth_login.services:
   _register_service(current_service)