You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When registering a gateway with openshell gateway add https://<endpoint>, the CLI defaults to the Cloudflare Access edge-auth flow. This flow only works when Cloudflare Access is deployed in front of the gateway — on any other Kubernetes deployment (OpenShift, GKE, EKS, k3d), it hangs for 120 seconds and times out with no guidance.
OIDC is the recommended auth path for production Kubernetes deployments, but users must already know about the --oidc-issuer flag to use it. The current default penalizes the majority of users (direct K8s deployments) in favor of the minority (Cloudflare Access deployments).
This was discussed in the #openshell Slack thread with @taylor Mutch, who noted: "I would honestly be okay with defaulting to the OIDC path as the default."
Proposed Design
Invert the default auth behavior for gateway add with HTTPS endpoints:
Default to OIDC with auto-discovery: Assume OIDC and try to discover the issuer from /.well-known/openid-configuration. Too fragile — the gateway doesn't expose OIDC config on an HTTP endpoint.
Agent Investigation
Explored crates/openshell-cli/src/run.rs:940-960 — confirmed gateway_add() enters the edge-auth path for any https:// endpoint without --oidc-issuer or --local.
Explored crates/openshell-cli/src/main.rs:1060-1080 — the GatewayAdd and GatewayLogin command structs. Adding --edge-auth is straightforward alongside existing --oidc-issuer and --local flags.
Verified on ROSA HCP 4.21: the OIDC flow via --oidc-issuer works correctly. The issue is purely the default behavior.
I've reviewed existing issues and the architecture docs
This is a design proposal, not a "please build this" request
Problem Statement
When registering a gateway with
openshell gateway add https://<endpoint>, the CLI defaults to the Cloudflare Access edge-auth flow. This flow only works when Cloudflare Access is deployed in front of the gateway — on any other Kubernetes deployment (OpenShift, GKE, EKS, k3d), it hangs for 120 seconds and times out with no guidance.OIDC is the recommended auth path for production Kubernetes deployments, but users must already know about the
--oidc-issuerflag to use it. The current default penalizes the majority of users (direct K8s deployments) in favor of the minority (Cloudflare Access deployments).This was discussed in the #openshell Slack thread with @taylor Mutch, who noted: "I would honestly be okay with defaulting to the OIDC path as the default."
Proposed Design
Invert the default auth behavior for
gateway addwith HTTPS endpoints:Current behavior:
gateway add https://...→ Cloudflare edge-auth (browser opens/auth/connect, waits forCF_Authorizationcookie)gateway add https://... --oidc-issuer <url>→ OIDC browser flowProposed behavior:
gateway add https://...→ prompt the user to provide--oidc-issueror--edge-author--localgateway add https://... --oidc-issuer <url>→ OIDC browser flow (unchanged)gateway add https://... --edge-auth→ Cloudflare edge-auth flow (opt-in)gateway add https://... --local→ skip auth entirely (unchanged)When neither
--oidc-issuernor--edge-authnor--localis provided, the CLI should display a clear message:Changes required
crates/openshell-cli/src/main.rs— add--edge-authflag togateway addandgateway logincrates/openshell-cli/src/run.rs:940-960— change the default for HTTPS from edge-auth to promptingcrates/openshell-cli/src/auth.rs— gatebrowser_auth_flow()behind the--edge-authflagAlternatives Considered
Auto-detect from gateway metadata (feat(cli): auto-detect OIDC configuration during gateway add #2098): Query the gateway's Health endpoint to detect OIDC configuration. More seamless but adds complexity and a new API contract. Can be done as a follow-up.
Keep CF as default, improve error message (fix(cli): improve error message when edge-auth flow times out on non-Cloudflare deployments #2099): Less disruptive but doesn't solve the UX problem — users still hit a 120-second hang before seeing guidance.
Default to OIDC with auto-discovery: Assume OIDC and try to discover the issuer from
/.well-known/openid-configuration. Too fragile — the gateway doesn't expose OIDC config on an HTTP endpoint.Agent Investigation
crates/openshell-cli/src/run.rs:940-960— confirmedgateway_add()enters the edge-auth path for anyhttps://endpoint without--oidc-issueror--local.crates/openshell-cli/src/main.rs:1060-1080— theGatewayAddandGatewayLogincommand structs. Adding--edge-authis straightforward alongside existing--oidc-issuerand--localflags.--oidc-issuerworks correctly. The issue is purely the default behavior.