fix(openbao-ui): handle OIDC callback without Ember popup flow

OpenBao's Ember UI expects OIDC to complete in a popup and postMessage to
window.opener. The standalone KeyCape login uses a full-page redirect, so the
callback now exchanges the authorization code directly, persists the UI token
in localStorage, and redirects into the vault UI. Unauthenticated /ui/ loads
also redirect to the standalone login page to avoid ?with= bounce loops.
This commit is contained in:
tegwick 2026-06-19 21:18:34 +02:00
parent 520c7ea2c0
commit 50799938db
8 changed files with 205 additions and 2 deletions

View file

@ -33,6 +33,7 @@ behaviour.
| `overlay.css` | Hide raw OpenBao login fields |
| `overlay.js` | Apply presets, branding on post-login Ember pages |
| `login.html` / `login.js` / `login.css` | Standalone KeyCape login at `/ui/vault/auth` |
| `callback.html` / `callback.js` | OIDC code exchange at `/ui/vault/auth/*/oidc/callback` |
| `nginx.conf` | Gateway proxy + standalone auth page + HTML injection |
| `patches/<version>/manifest.sha256` | Upstream UI fingerprints for drift detection |