Blog

Authentication Scenarios

When using Concourse in several environments, you'll eventually end up in a situation where you're on a remote system (Jumpbox, Docker Container, etc) and need to use fly to get or set a pipeline, or hijack into a job and troubleshoot a task. This is where things get a bit interesting.

If you are using Concourse 3.x or 4.x and have OAuth configured (Github, CF, etc), when attempting to log in you'll be met with the following:

fly -t pipes login
logging in to team 'dev-test'

navigate to the following URL in your browser:
  https://pipes.test.example.com/sky/login?redirect_uri=http://127.0.0.1:43941/auth/callback

or enter token manually: 

Usually this works perfectly fine, go to the link in a browser, fly automatically updates the credentials, and it's good to go. Unfortunately, when using fly on a remote system, or within a container, the redirect_uri=http://127.0.0.1:43941/auth/callback won't work properly as fly is listening on a random port local to the box it's running on. This causes the following to occur in the browser and sadness ensues.

Can't establish a connection to the server.

Recycle and Reuse

So, how do we fix this?

Looking in the address bar of the browser when redirected to the error page it'll look something like:

http://127.0.0.1:43941/auth/callback?token=Bearer+eyJhbGciOiJSUzI1NiIsImtpZCI6IiIsInR5cCI6IkpXVCJ9.eyJjc3...

Enclosed in the URL is the bearer token that fly is expecting. But before copying and pasting it into fly, it needs to be modified slightly. Change the + between Bearer and the rest of the token to a space character so it looks like:

Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IiIsInR5cCI6IkpXVCJ9.eyJjc3...

Then copy that into the terminal where you are authenticating.

Good News!

While this is a a bit of a pain, the good news is there is a much more user friendly experience in 5.x and above. Upon going to the login page prompted by fly, if the CLI can't be contacted by the browser, instead of getting an Unable to connect error, you're greeted with a page and a one-click button to copy the properly formatted token to your clipboard as shown below.

But for those of us who are environments with older versions of Concourse, the above solution is a good stop-gap until the shiny new upgrades are rolled out.