Authentication Scenarios
When using Concourse in several environments, you’ll eventually end up in a situation where you’re on a remote system (Jumpbox, Docker Container, etc) and need to use fly
to get or set a pipeline, or hijack into a job and troubleshoot a task. This is where things get a bit interesting.
If you are using Concourse 3.x or 4.x and have OAuth configured (Github, CF, etc), when attempting to log in you’ll be met with the following:
fly -t pipes loginlogging in to team 'dev-test'
navigate to the following URL in your browser:
https://pipes.test.example.com/sky/login?redirect_uri=http://127.0.0.1:43941/auth/callback
or enter token manually:
Usually this works perfectly fine, go to the link in a browser, fly
automatically updates the credentials, and it’s good to go. Unfortunately, when using fly
on a remote system, or within a container, the redirect_uri=http://127.0.0.1:43941/auth/callback
won’t work properly as fly
is listening on a random port local to the box it’s running on. This causes the following to occur in the browser and sadness ensues.
Recycle and Reuse
So, how do we fix this?
Looking in the address bar of the browser when redirected to the error page it’ll look something like:
Enclosed in the URL is the bearer token that fly
is expecting. But before copying and pasting it into fly
, it needs to be modified slightly. Change the +
between Bearer
and the rest of the token to a space
character so it looks like:
Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IiIsInR5cCI6IkpXVCJ9.eyJjc3
…
Then copy that into the terminal where you are authenticating.
Good News!
While this is a a bit of a pain, the good news is there is a much more user friendly experience in 5.x and above. Upon going to the login page prompted by fly
, if the CLI can’t be contacted by the browser, instead of getting an Unable to connect
error, you’re greeted with a page and a one-click button to copy the properly formatted token to your clipboard as shown below.
But for those of us who are environments with older versions of Concourse, the above solution is a good stop-gap until the shiny new upgrades are rolled out.