Skip to content

Feat: implement OIDC flow#1007

Open
NishchayRajput wants to merge 19 commits into
goharbor:mainfrom
NishchayRajput:feat/implement-oidc-flow
Open

Feat: implement OIDC flow#1007
NishchayRajput wants to merge 19 commits into
goharbor:mainfrom
NishchayRajput:feat/implement-oidc-flow

Conversation

@NishchayRajput

@NishchayRajput NishchayRajput commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Description

This pull request adds work-in-progress OIDC login support for harbor-cli together with the Harbor Core changes needed to support that flow.

Current implementation allows harbor-cli to start an OIDC login through Harbor Core, return a browser login URL, poll Harbor Core for completion using OIDC state, store the returned credential locally, and use bearer authentication for later API requests.

This change is needed because Harbor currently supports browser-based OIDC login, but harbor-cli does not yet have a native OIDC login flow. The current implementation is still being actively worked on and is not final yet.

Type of Change

Please select the relevant type.

  • Bug fix
  • New feature
  • Refactor
  • Documentation update
  • Chore / maintenance

Changes

  • added harbor login <server> --oidc
  • added OIDC login initiation helper against:
    • GET /c/oidc/login?mode=cli
  • added OIDC polling helper against:
    • GET /c/oidc/cli-token?state=...
  • added local OIDC credential storage support:
    • auth-type
    • id-token
    • refresh-token
    • expires-at
  • added bearer-token client path for OIDC credentials
  • updated tests for the state-based polling contract

Flow Diagram

image

Video

Screencast.from.21-06-26.04.07.57.PM.IST.webm

In case of token expiry cli gives output as

image

@NishchayRajput

NishchayRajput commented Jun 17, 2026

Copy link
Copy Markdown
Contributor Author

@bupd Please have look at the idea. We may also required changes on harbore-core using existing oidc flow still required still needed few changes like polling state to get the id_token and other details. It's not completed yet but wanted you to have a look and design level decisions.

PS: ignore lint for now :)

@NishchayRajput NishchayRajput changed the title Feat/implement OIDC flow Feat: implement OIDC flow Jun 17, 2026
@codecov

codecov Bot commented Jun 20, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 43.29609% with 203 lines in your changes missing coverage. Please review.
✅ Project coverage is 10.35%. Comparing base (60ad0bd) to head (6ef5a88).
⚠️ Report is 191 commits behind head on main.

Files with missing lines Patch % Lines
pkg/utils/client.go 35.87% 68 Missing and 16 partials ⚠️
pkg/utils/oidc.go 43.18% 49 Missing and 26 partials ⚠️
pkg/utils/config.go 52.94% 16 Missing and 16 partials ⚠️
cmd/harbor/root/login.go 55.55% 6 Missing and 6 partials ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #1007      +/-   ##
==========================================
- Coverage   10.99%   10.35%   -0.64%     
==========================================
  Files         173      322     +149     
  Lines        8671    16440    +7769     
==========================================
+ Hits          953     1702     +749     
- Misses       7612    14529    +6917     
- Partials      106      209     +103     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@NishchayRajput

Copy link
Copy Markdown
Contributor Author

Suggestion:

  • We can use URL shortener or copy support for the link in the terminal itself.
  • Also should display the QR code for the url incase user can scan via phone.

Please let me know if you have more suggestion.

@qcserestipy

Copy link
Copy Markdown
Collaborator

@NishchayRajput Had a brief look through this. It looks really really cool!
Just one question out of interest. After the oidc login the id_token is retrieved for identity info.
The refresh_token is also stored for refreshing which is really nice. Is there already functionality included to make use of the refresh_token anyhow or is this just added for completenes currently?
Should we also store the access_token?

Lastly, which party is validating the trust relationship to the oidc source. Just to confirm: this is governed through OIDC providers that are configured in harbor itself and we just make use of the trusted identity provider from Harbor itself.

@qcserestipy qcserestipy added enhancement New feature or request Priority: Medium Affecting a limited number of users,degrading the customer experience. deps/harbor Issues related to upstream Harbor behavior, API quirks, configuration requirements, or Harbor bugs. status/in-progress Work on this issue has started or a linked pull request is actively being developed. labels Jun 30, 2026
@NishchayRajput

Copy link
Copy Markdown
Contributor Author

@NishchayRajput Had a brief look through this. It looks really really cool! Just one question out of interest. After the oidc login the id_token is retrieved for identity info. The refresh_token is also stored for refreshing which is really nice. Is there already functionality included to make use of the refresh_token anyhow or is this just added for completenes currently? Should we also store the access_token?

Lastly, which party is validating the trust relationship to the oidc source. Just to confirm: this is governed through OIDC providers that are configured in harbor itself and we just make use of the trusted identity provider from Harbor itself.

Hey, Thanks @qcserestipy for review.
Below is how flow would look like
image

Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
@NishchayRajput NishchayRajput force-pushed the feat/implement-oidc-flow branch from d532c48 to a469bf0 Compare July 4, 2026 17:56
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
@NishchayRajput

Copy link
Copy Markdown
Contributor Author
Untitled.design.1.mp4

Added Refresh Token support.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces work-in-progress OIDC login support to harbor-cli, enabling a browser-based authentication flow via Harbor Core, persisting OIDC credentials locally, and using bearer-token auth for subsequent API requests.

Changes:

  • Added OIDC login helpers (initiate login, poll for completion, refresh tokens) and corresponding unit tests.
  • Extended credential/config model to store OIDC auth metadata (auth-type, id/refresh tokens, expiry) and added token refresh + retry-on-401 support in the Harbor API client.
  • Updated harbor login command/docs to add --oidc and tests for the new flag/flow.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 11 comments.

Show a summary per file
File Description
pkg/utils/oidc.go Implements OIDC login initiation, polling, refresh, and URL construction helpers.
pkg/utils/oidc_test.go Adds unit tests covering OIDC login, polling, and refresh behaviors.
pkg/utils/config.go Extends stored credentials for OIDC fields and adds helpers to store/decrypt/update OIDC tokens.
pkg/utils/config_test.go Adds tests for OIDC credential storage + token update/decryption.
pkg/utils/client.go Adds OIDC bearer auth client path, token refresh logic, and retry transport for 401 responses.
pkg/utils/client_oidc_internal_test.go Adds internal tests for JWT expiry parsing and retry transport behavior.
cmd/harbor/root/login.go Adds --oidc flag and RunOIDCLogin flow.
cmd/harbor/root/login_test.go Adds tests for OIDC flag mutual exclusivity and successful OIDC login.
doc/man-docs/man1/harbor-login.1 Documents the new --oidc flag in man pages.
doc/cli-docs/harbor-login.md Documents the new --oidc flag in CLI docs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pkg/utils/oidc.go
Comment on lines +238 to +247
func joinServerPath(serverAddress, path string) (string, error) {
u, err := url.Parse(serverAddress)
if err != nil {
return "", fmt.Errorf("failed to parse server URL: %w", err)
}
u.Path = path
u.RawQuery = ""
u.Fragment = ""
return u.String(), nil
}
Comment thread pkg/utils/oidc.go
q.Set("mode", "cli")
u.RawQuery = q.Encode()

resp, err := http.Get(u.String()) //nolint:gosec // endpoint is user-provided Harbor server URL for login.
Comment thread pkg/utils/oidc.go
}

func pollOIDCTokenOnce(endpoint string) (*OIDCPollResponse, bool, error) {
resp, err := http.Get(endpoint) //nolint:gosec // endpoint is the Harbor server URL validated by PollForOIDCToken.
Comment thread pkg/utils/oidc.go
}
req.Header.Set("Content-Type", "application/json")

resp, err := http.DefaultClient.Do(req)
Comment thread pkg/utils/oidc.go
return nil, fmt.Errorf("failed to parse OIDC token endpoint: %w", err)
}
q := u.Query()
q.Set("poll_token", pollToken)
Comment thread pkg/utils/config.go
log.Fatalf("failed to write updated config file: %v", err)
}

CurrentHarborConfig = &c
Comment thread pkg/utils/client.go
Comment on lines +215 to +218
return buildClientWithAuth(credential.ServerAddress, tokenManager, &oidcRetryTransport{
base: harbor.InsecureTransport,
tokenManager: tokenManager,
})
Comment thread pkg/utils/client.go
Comment on lines +267 to +268
base = harbor.InsecureTransport
}
Comment thread cmd/harbor/root/login.go

harborData, err := utils.GetCurrentHarborData()
if err != nil {
return fmt.Errorf("failed to get current harbor data: %s", err)
Comment thread pkg/utils/oidc.go
Comment on lines +117 to +119
deadline := time.Now().Add(timeout)
ticker := time.NewTicker(3 * time.Second)
defer ticker.Stop()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

deps/harbor Issues related to upstream Harbor behavior, API quirks, configuration requirements, or Harbor bugs. enhancement New feature or request Priority: Medium Affecting a limited number of users,degrading the customer experience. status/in-progress Work on this issue has started or a linked pull request is actively being developed.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[feature]: Harbor CLI OIDC auth (LFX Term-2, June-Augut 2026)

3 participants