Add --open-url-after-authentication option (#350)

* Add --open-url-after-authentication option

* Add integration test for --open-url-after-authentication

README.md

@@ -127,6 +127,7 @@ Flags:
       --grant-type string                               Authorization grant type to use. One of (auto|authcode|authcode-keyboard|password) (default "auto")
       --listen-address strings                          [authcode] Address to bind to the local server. If multiple addresses are set, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])
       --skip-open-browser                               [authcode] Do not open the browser automatically
+      --open-url-after-authentication string            [authcode] If set, open the URL in the browser after authentication
       --oidc-redirect-url-hostname string               [authcode] Hostname of the redirect URL (default "localhost")
       --oidc-auth-request-extra-params stringToString   [authcode, authcode-keyboard] Extra query parameters to send with an authentication request (default [])
       --username string                                 [password] Username for resource owner password credentials grant
@@ -204,6 +205,13 @@ You can add extra parameters to the authentication request.
       - --oidc-auth-request-extra-params=ttl=86400
 ```
 
+When authentication completed, kubelogin shows a message to close the browser.
+You can change the URL to show after authentication.
+
+```yaml
+      - --open-url-after-authentication=https://example.com/success.html
+```
+
 #### Authorization code flow with keyboard interactive
 
 If you cannot access the browser, instead use the authorization code flow with keyboard interactive.

integration_test/credetial_plugin_test.go

@@ -52,6 +52,11 @@ func TestCredentialPlugin(t *testing.T) {
 			args:    []string{"--certificate-authority", keypair.Server.CACertPath},
 		},
 	} {
+		httpDriverOption := httpdriver.Option{
+			TLSConfig:    tc.keyPair.TLSConfig,
+			BodyContains: "Authenticated",
+		}
+
 		t.Run(name, func(t *testing.T) {
 			t.Run("AuthCode", func(t *testing.T) {
 				t.Parallel()
@@ -71,7 +76,7 @@ func TestCredentialPlugin(t *testing.T) {
 				runGetToken(t, ctx, getTokenConfig{
 					tokenCacheDir: tokenCacheDir,
 					issuerURL:     sv.IssuerURL(),
-					httpDriver:    httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
+					httpDriver:    httpdriver.New(ctx, t, httpDriverOption),
 					now:           now,
 					stdout:        &stdout,
 					args:          tc.args,
@@ -132,7 +137,7 @@ func TestCredentialPlugin(t *testing.T) {
 					runGetToken(t, ctx, getTokenConfig{
 						tokenCacheDir: tokenCacheDir,
 						issuerURL:     sv.IssuerURL(),
-						httpDriver:    httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
+						httpDriver:    httpdriver.New(ctx, t, httpDriverOption),
 						now:           now,
 						stdout:        &stdout,
 						args:          tc.args,
@@ -168,7 +173,7 @@ func TestCredentialPlugin(t *testing.T) {
 					runGetToken(t, ctx, getTokenConfig{
 						tokenCacheDir: tokenCacheDir,
 						issuerURL:     sv.IssuerURL(),
-						httpDriver:    httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
+						httpDriver:    httpdriver.New(ctx, t, httpDriverOption),
 						now:           now.Add(2 * time.Hour),
 						stdout:        &stdout,
 						args:          tc.args,
@@ -190,7 +195,7 @@ func TestCredentialPlugin(t *testing.T) {
 					runGetToken(t, ctx, getTokenConfig{
 						tokenCacheDir: tokenCacheDir,
 						issuerURL:     sv.IssuerURL(),
-						httpDriver:    httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
+						httpDriver:    httpdriver.New(ctx, t, httpDriverOption),
 						now:           now.Add(4 * time.Hour),
 						stdout:        &stdout,
 						args:          tc.args,
@@ -221,7 +226,7 @@ func TestCredentialPlugin(t *testing.T) {
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
 			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, nil),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{BodyContains: "Authenticated"}),
 			now:           now,
 			stdout:        &stdout,
 		})
@@ -246,7 +251,7 @@ func TestCredentialPlugin(t *testing.T) {
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
 			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, keypair.Server.TLSConfig),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{TLSConfig: keypair.Server.TLSConfig, BodyContains: "Authenticated"}),
 			now:           now,
 			stdout:        &stdout,
 			args:          []string{"--certificate-authority-data", keypair.Server.CACertBase64},
@@ -272,7 +277,7 @@ func TestCredentialPlugin(t *testing.T) {
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
 			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, nil),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{BodyContains: "Authenticated"}),
 			now:           now,
 			stdout:        &stdout,
 			args: []string{
@@ -283,6 +288,32 @@ func TestCredentialPlugin(t *testing.T) {
 		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
 	})
 
+	t.Run("OpenURLAfterAuthentication", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
+			Want: oidcserver.Want{
+				Scope:             "openid",
+				RedirectURIPrefix: "http://localhost:",
+			},
+			Response: oidcserver.Response{
+				IDTokenExpiry: now.Add(time.Hour),
+			},
+		})
+		defer sv.Shutdown(t, ctx)
+		var stdout bytes.Buffer
+		runGetToken(t, ctx, getTokenConfig{
+			tokenCacheDir: tokenCacheDir,
+			issuerURL:     sv.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{BodyContains: "URL=https://example.com/success"}),
+			now:           now,
+			stdout:        &stdout,
+			args:          []string{"--open-url-after-authentication", "https://example.com/success"},
+		})
+		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+	})
+
 	t.Run("RedirectURLHostname", func(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
@@ -301,7 +332,7 @@ func TestCredentialPlugin(t *testing.T) {
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
 			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, nil),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{BodyContains: "Authenticated"}),
 			now:           now,
 			stdout:        &stdout,
 			args:          []string{"--oidc-redirect-url-hostname", "127.0.0.1"},
@@ -331,7 +362,7 @@ func TestCredentialPlugin(t *testing.T) {
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
 			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, nil),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{BodyContains: "Authenticated"}),
 			now:           now,
 			stdout:        &stdout,
 			args: []string{

integration_test/httpdriver/http_driver.go

@@ -4,13 +4,20 @@ package httpdriver
 import (
 	"context"
 	"crypto/tls"
+	"io/ioutil"
 	"net/http"
+	"strings"
 	"testing"
 )
 
+type Option struct {
+	TLSConfig    *tls.Config
+	BodyContains string
+}
+
 // New returns a client to simulate browser access.
-func New(ctx context.Context, t *testing.T, tlsConfig *tls.Config) *client {
-	return &client{ctx, t, tlsConfig}
+func New(ctx context.Context, t *testing.T, o Option) *client {
+	return &client{ctx, t, o}
 }
 
 // Zero returns a client which call is not expected.
@@ -19,13 +26,13 @@ func Zero(t *testing.T) *zeroClient {
 }
 
 type client struct {
-	ctx       context.Context
-	t         *testing.T
-	tlsConfig *tls.Config
+	ctx context.Context
+	t   *testing.T
+	o   Option
 }
 
 func (c *client) Open(url string) error {
-	client := http.Client{Transport: &http.Transport{TLSClientConfig: c.tlsConfig}}
+	client := http.Client{Transport: &http.Transport{TLSClientConfig: c.o.TLSConfig}}
 	req, err := http.NewRequest("GET", url, nil)
 	if err != nil {
 		c.t.Errorf("could not create a request: %s", err)
@@ -41,6 +48,15 @@ func (c *client) Open(url string) error {
 	if resp.StatusCode != 200 {
 		c.t.Errorf("StatusCode wants 200 but %d", resp.StatusCode)
 	}
+	b, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		c.t.Errorf("could not read body: %s", err)
+		return nil
+	}
+	body := string(b)
+	if !strings.Contains(body, c.o.BodyContains) {
+		c.t.Errorf("body should contain %s but was %s", c.o.BodyContains, body)
+	}
 	return nil
 }
 

integration_test/standalone_test.go

@@ -36,6 +36,11 @@ func TestStandalone(t *testing.T) {
 			keyPair: keypair.Server,
 		},
 	} {
+		httpDriverOption := httpdriver.Option{
+			TLSConfig:    tc.keyPair.TLSConfig,
+			BodyContains: "Authenticated",
+		}
+
 		t.Run(name, func(t *testing.T) {
 			t.Run("AuthCode", func(t *testing.T) {
 				t.Parallel()
@@ -59,7 +64,7 @@ func TestStandalone(t *testing.T) {
 				runStandalone(t, ctx, standaloneConfig{
 					issuerURL:          sv.IssuerURL(),
 					kubeConfigFilename: kubeConfigFilename,
-					httpDriver:         httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
+					httpDriver:         httpdriver.New(ctx, t, httpDriverOption),
 					now:                now,
 				})
 				kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -131,7 +136,7 @@ func TestStandalone(t *testing.T) {
 					runStandalone(t, ctx, standaloneConfig{
 						issuerURL:          sv.IssuerURL(),
 						kubeConfigFilename: kubeConfigFilename,
-						httpDriver:         httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
+						httpDriver:         httpdriver.New(ctx, t, httpDriverOption),
 						now:                now,
 					})
 					kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -167,7 +172,7 @@ func TestStandalone(t *testing.T) {
 					runStandalone(t, ctx, standaloneConfig{
 						issuerURL:          sv.IssuerURL(),
 						kubeConfigFilename: kubeConfigFilename,
-						httpDriver:         httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
+						httpDriver:         httpdriver.New(ctx, t, httpDriverOption),
 						now:                now.Add(2 * time.Hour),
 					})
 					kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -189,7 +194,7 @@ func TestStandalone(t *testing.T) {
 					runStandalone(t, ctx, standaloneConfig{
 						issuerURL:          sv.IssuerURL(),
 						kubeConfigFilename: kubeConfigFilename,
-						httpDriver:         httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
+						httpDriver:         httpdriver.New(ctx, t, httpDriverOption),
 						now:                now.Add(4 * time.Hour),
 					})
 					kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -223,7 +228,7 @@ func TestStandalone(t *testing.T) {
 		runStandalone(t, ctx, standaloneConfig{
 			issuerURL:          sv.IssuerURL(),
 			kubeConfigFilename: kubeConfigFilename,
-			httpDriver:         httpdriver.New(ctx, t, keypair.Server.TLSConfig),
+			httpDriver:         httpdriver.New(ctx, t, httpdriver.Option{TLSConfig: keypair.Server.TLSConfig}),
 			now:                now,
 		})
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -253,7 +258,7 @@ func TestStandalone(t *testing.T) {
 		defer unsetenv(t, "KUBECONFIG")
 		runStandalone(t, ctx, standaloneConfig{
 			issuerURL:  sv.IssuerURL(),
-			httpDriver: httpdriver.New(ctx, t, nil),
+			httpDriver: httpdriver.New(ctx, t, httpdriver.Option{}),
 			now:        now,
 		})
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -284,7 +289,7 @@ func TestStandalone(t *testing.T) {
 		runStandalone(t, ctx, standaloneConfig{
 			issuerURL:          sv.IssuerURL(),
 			kubeConfigFilename: kubeConfigFilename,
-			httpDriver:         httpdriver.New(ctx, t, nil),
+			httpDriver:         httpdriver.New(ctx, t, httpdriver.Option{}),
 			now:                now,
 		})
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{

pkg/adaptors/cmd/authentication.go

@@ -12,14 +12,15 @@ import (
 )
 
 type authenticationOptions struct {
-	GrantType              string
-	ListenAddress          []string
-	ListenPort             []int // deprecated
-	SkipOpenBrowser        bool
-	RedirectURLHostname    string
-	AuthRequestExtraParams map[string]string
-	Username               string
-	Password               string
+	GrantType                  string
+	ListenAddress              []string
+	ListenPort                 []int // deprecated
+	SkipOpenBrowser            bool
+	OpenURLAfterAuthentication string
+	RedirectURLHostname        string
+	AuthRequestExtraParams     map[string]string
+	Username                   string
+	Password                   string
 }
 
 // determineListenAddress returns the addresses from the flags.
@@ -53,6 +54,7 @@ func (o *authenticationOptions) addFlags(f *pflag.FlagSet) {
 		panic(err)
 	}
 	f.BoolVar(&o.SkipOpenBrowser, "skip-open-browser", false, "[authcode] Do not open the browser automatically")
+	f.StringVar(&o.OpenURLAfterAuthentication, "open-url-after-authentication", "", "[authcode] If set, open the URL in the browser after authentication")
 	f.StringVar(&o.RedirectURLHostname, "oidc-redirect-url-hostname", "localhost", "[authcode] Hostname of the redirect URL")
 	f.StringToStringVar(&o.AuthRequestExtraParams, "oidc-auth-request-extra-params", nil, "[authcode, authcode-keyboard] Extra query parameters to send with an authentication request")
 	f.StringVar(&o.Username, "username", "", "[password] Username for resource owner password credentials grant")
@@ -63,10 +65,11 @@ func (o *authenticationOptions) grantOptionSet() (s authentication.GrantOptionSe
 	switch {
 	case o.GrantType == "authcode" || (o.GrantType == "auto" && o.Username == ""):
 		s.AuthCodeBrowserOption = &authcode.BrowserOption{
-			BindAddress:            o.determineListenAddress(),
-			SkipOpenBrowser:        o.SkipOpenBrowser,
-			RedirectURLHostname:    o.RedirectURLHostname,
-			AuthRequestExtraParams: o.AuthRequestExtraParams,
+			BindAddress:                o.determineListenAddress(),
+			SkipOpenBrowser:            o.SkipOpenBrowser,
+			OpenURLAfterAuthentication: o.OpenURLAfterAuthentication,
+			RedirectURLHostname:        o.RedirectURLHostname,
+			AuthRequestExtraParams:     o.AuthRequestExtraParams,
 		}
 	case o.GrantType == "authcode-keyboard":
 		s.AuthCodeKeyboardOption = &authcode.KeyboardOption{

pkg/adaptors/cmd/cmd_test.go

@@ -80,6 +80,7 @@ func TestCmd_Run(t *testing.T) {
 					"--listen-address", "127.0.0.1:10080",
 					"--listen-address", "127.0.0.1:20080",
 					"--skip-open-browser",
+					"--open-url-after-authentication", "https://example.com/success.html",
 					"--username", "USER",
 					"--password", "PASS",
 				},
@@ -92,9 +93,10 @@ func TestCmd_Run(t *testing.T) {
 					SkipTLSVerify:      true,
 					GrantOptionSet: authentication.GrantOptionSet{
 						AuthCodeBrowserOption: &authcode.BrowserOption{
-							BindAddress:         []string{"127.0.0.1:10080", "127.0.0.1:20080"},
-							SkipOpenBrowser:     true,
-							RedirectURLHostname: "localhost",
+							BindAddress:                []string{"127.0.0.1:10080", "127.0.0.1:20080"},
+							SkipOpenBrowser:            true,
+							OpenURLAfterAuthentication: "https://example.com/success.html",
+							RedirectURLHostname:        "localhost",
 						},
 					},
 				},
@@ -221,6 +223,7 @@ func TestCmd_Run(t *testing.T) {
 					"--listen-address", "127.0.0.1:10080",
 					"--listen-address", "127.0.0.1:20080",
 					"--skip-open-browser",
+					"--open-url-after-authentication", "https://example.com/success.html",
 					"--oidc-auth-request-extra-params", "ttl=86400",
 					"--oidc-auth-request-extra-params", "reauth=true",
 					"--username", "USER",
@@ -237,10 +240,11 @@ func TestCmd_Run(t *testing.T) {
 					SkipTLSVerify:  true,
 					GrantOptionSet: authentication.GrantOptionSet{
 						AuthCodeBrowserOption: &authcode.BrowserOption{
-							BindAddress:            []string{"127.0.0.1:10080", "127.0.0.1:20080"},
-							SkipOpenBrowser:        true,
-							RedirectURLHostname:    "localhost",
-							AuthRequestExtraParams: map[string]string{"ttl": "86400", "reauth": "true"},
+							BindAddress:                []string{"127.0.0.1:10080", "127.0.0.1:20080"},
+							SkipOpenBrowser:            true,
+							OpenURLAfterAuthentication: "https://example.com/success.html",
+							RedirectURLHostname:        "localhost",
+							AuthRequestExtraParams:     map[string]string{"ttl": "86400", "reauth": "true"},
 						},
 					},
 				},