Skip to content

refactor(auth): implement browser-based and refreshed token authentication flow#15

Merged
kop merged 2 commits intomainfrom
kop/fb-336-fb-cli-oauth-pkce-browser-auth-and-os-keychain-secret
Mar 25, 2026
Merged

refactor(auth): implement browser-based and refreshed token authentication flow#15
kop merged 2 commits intomainfrom
kop/fb-336-fb-cli-oauth-pkce-browser-auth-and-os-keychain-secret

Conversation

@kop
Copy link
Copy Markdown
Collaborator

@kop kop commented Mar 25, 2026
edited
Loading

Summary

Adds browser-based OAuth PKCE authentication as an alternative to Service Account login, migrates secret storage to the OS keychain, and fixes several bugs discovered during implementation.

What changed

New authentication flow (src/auth.rs, src/context.rs)

  • fb auth now offers a choice: Browser login (PKCE) or Service Account
  • Browser flow: opens system browser → local callback server (5 fixed candidate ports) → PKCE code exchange → tokens stored in OS keychain
  • After authenticating, interactively selects an account from the API (GET /web/v3/myAccounts) — auto-selects if only one account exists
  • System engine URL is discovered automatically per account
  • Both flows prompt for optional default database/engine

Keyring-based secret storage

  • All secrets (SA client secret, access tokens, refresh tokens) stored in OS keychain via keyring crate
  • --no-keyring flag falls back to ~/.firebolt/fb_secrets (YAML file)
  • Enabled apple-native and linux-native keyring features — without these the crate compiled with an in-memory mock backend, losing tokens between invocations
  • Namespaced keyring keys: browser_access_token/browser_refresh_token for browser flow, sa_access_token/sa_secret for SA flow — prevents cross-flow token collisions

New subcommands

  • fb auth token — prints current access token to stdout, refreshes if expired

kop added 2 commits March 25, 2026 11:04
@kop
refactor(auth): implement browser-based and refreshed token authentic…
26c9faa 
…ation flow

Redesign authentication logic to support both Service Account and Browser-based workflows. Replace `ServiceAccountToken` with a more generic `AuthMethod` enum, and introduce OAuth PKCE flow for browser authentication. Add support for token caching and management via keyring or file-based storage. Update CLI commands to include token functionalities and adapt help messages accordingly.
@kop
fix(auth): namespace keyring keys and enable native OS keychain backends
062fb5d 
- Separate keyring keys for browser (browser_access_token/browser_refresh_token)
  and service account (sa_access_token) to prevent cross-flow token collisions
- Add pre-refresh check: return friendly "Session expired" if refresh token missing
- Enable apple-native and linux-native keyring features so tokens persist across
  process invocations (previously used in-memory mock backend with no persistence)
- clear_auth now also cleans up legacy access_token/refresh_token keys for migration
@kop kop requested a review from tobias-fire March 25, 2026 11:55
@kop kop marked this pull request as ready for review March 25, 2026 11:55
@kop kop merged commit ec0da82 into main Mar 25, 2026
5 checks passed
@kop kop deleted the kop/fb-336-fb-cli-oauth-pkce-browser-auth-and-os-keychain-secret branch March 25, 2026 12:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tobias-fire tobias-fire tobias-fire approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kop @tobias-fire