fix(openbao-ui): handle OIDC callback without Ember popup flow

OpenBao's Ember UI expects OIDC to complete in a popup and postMessage to
window.opener. The standalone KeyCape login uses a full-page redirect, so the
callback now exchanges the authorization code directly, persists the UI token
in localStorage, and redirects into the vault UI. Unauthenticated /ui/ loads
also redirect to the standalone login page to avoid ?with= bounce loops.
This commit is contained in:
tegwick 2026-06-19 21:18:34 +02:00
parent 520c7ea2c0
commit 50799938db
8 changed files with 205 additions and 2 deletions

View file

@ -33,6 +33,13 @@ http {
add_header Cache-Control "no-store";
}
# OIDC callback handler exchanges code without Ember popup/postMessage flow.
location ~ ^/ui/vault/auth/.+/oidc/callback/?$ {
alias /etc/nginx/overlay/callback.html;
default_type text/html;
add_header Cache-Control "no-store";
}
# Static UI bundles and API calls bypass HTML injection and stay compressed.
location ~ ^/(v1|ui/assets|ui/engines-dist|ui/favicon\.svg) {
proxy_pass http://openbao_upstream;