Configurable token callback URL for SSO login — would you accept a PR?

[rpgeddam]

Use Case

I'm trying to authenticate against the Concourse API from a CI environment. fly login requires a listener on 127.0.0.1 to capture the token callback, which isn't possible in headless/containerized CI runners. With OIDC/Entra ID as the auth backend, there's no password-based fallback — the only path is the fly-style SSO flow, but this hardcoded localhost url makes it unusable outside a local desktop.

The web UI's manual token copy-paste flow isn't an option for unattended CI.

tokenToFlyRoute authToken flyPort =                                                                                                                                                              
    Builder.crossOrigin                                                                                                                                                                          
        ("http://127.0.0.1:" ++ String.fromInt flyPort)                                                                                                                                          
        []                                                                                                                                                                                       
        [ Builder.string "token" authToken ]    

The fly-style login is the only viable external auth mechanism for third-party clients — standard OAuth redirect flow isn't available
(

concourse/skymarshal/dexserver/dexserver.go

Line 93 in c1f6081

RedirectURIs: []string{config.RedirectURL},

, and

concourse/skymarshal/skyserver/skyserver.go

Lines 162 to 176 in c1f6081

	func (s *SkyServer) Redirect(w http.ResponseWriter, r *http.Request, oauth2Token *oauth2.Token, redirectURI string) {
	logger := s.config.Logger.Session("redirect")
	redirectURL, err := url.ParseRequestURI("/" + strings.TrimLeft(redirectURI, "/"))
	if err != nil {
	logger.Error("failed-to-parse-redirect-url", err)
	w.WriteHeader(http.StatusBadRequest)
	return
	}
	if redirectURL.Host != "" || redirectURL.Scheme != "" {
	logger.Error("invalid-redirect", fmt.Errorf("Unsupported redirect uri: %s", redirectURI))
	w.WriteHeader(http.StatusBadRequest)
	return
	}

).

Proposal

Make the callback URL configurable via an environment variable (e.g. CONCOURSE_FLY_CALLBACK_URL). When set, it would be used as the full callback URL, ignoring fly_port. When unset, current behavior is remains unchanged.

This would be a small change - primarily in web/elm/src/Routes.elm and the backend plumbing to pass the config to the frontend.

Prior Art: /sky/token

The GET /sky/token endpoint (#2464) would have solved this use case - a remote client could redirect users through normal web login, then retrieve the token server-side. It was added in v4.2.0 but the GET variant was reverted in #3084 and the entire route removed in v6.1.0.

Was there a specific concern beyond "no longer needed after the new fly login UI"? If a token retrieval endpoint is more palatable than a configurable callback URL, that would work equally well for this use case.

Alternatives Explored

• Custom Dex static client: --add-client doesn't support custom redirect URIs; all clients get {external_url}/sky/callback
• Standard OAuth redirect: SkyServer.Redirect() rejects non-relative redirect URIs
• Direct IdP auth: The StoreAccessToken middleware replaces Dex JWTs with Concourse opaque tokens, so an Entra ID/OIDC token obtained directly can't be used against the Concourse API

The fly-style login is the only path for programmatic API access, but the 127.0.0.1 constraint limits it to local-only clients.

[rpgeddam]

other folks voicing a similar need: #2962 (comment)

[taylorsilva]

I'd be fine with bringing back the endpoint /sky/token. I'm not in favour for making the callback URL configurable.