random callback uri port

[tuananh]

the url generated is localhost:xxxxx . however the port is random each time so it doesn't match with what i have register in oidc idp (dex) and i get this error when the url opened in browser

Unregistered redirect_uri ("http://localhost:56947/auth/callback").

is there anyway to fix the port?

[dlorenc]

Hey @tuananh - I'm not sure I understand the use-case fully. How are you trying to run cosign? What fulcio instance are you pointed at, and how is it configured?

[tuananh]

@dlorenc i omit it so i assume it's the public dev one? the client i have registered in dex looks like below.

staticClients:
      - id: sigstore
        secret: __CHANGE_ME__
        name: 'sigstore'
        # Where the app will be running.
        redirectURIs:
        - 'http://localhost:56921/auth/callback'
        # - 'http://127.0.0.1:5555/callback'

as you can see, the redirect uri has port in it but everytime i run the below command, the port changed so i got unregistered redirect_uri

COSIGN_EXPERIMENTAL=1 cosign sign \
    --oidc-issuer "http://<my-dex-instance-url>" \
    README.md

[feelepxyz]

👋 I ran into this when trying to get sigstore-the-hard-way up and running.

I think this change in cosign is relevant, it changed the local server to bind to a random available port, to handle it already being taken on the developers machine.

I'm not yet aware of a way to handle a random port range in dex. There's this fix proposed in dex but looks inactive: dexidp/dex#1783

[tuananh]

@dlorenc can you advise? is there any known workaround for this?

relevant issue: #1311

[hectorj2f]

The main issue is that certain OIDC providers do not allow to have a redirect URI to a random port (e.g. auth0). In. our code, we set a redirect listener where the port is randomly picked by the OS. As a consequence, those OIDC providers return a redirect_uri mismatch because the port changes on every call.

@dlorenc @tuananh A solution would be to expose a flag to set the listener of the redirect to a specific port or a redirect_uri itself. I could get some changes to fix it.

[hectorj2f]

The code is in: https://github.com/sigstore/sigstore/blob/main/pkg/oauthflow/interactive.go#L148, and even if the RFC8252 mentions

The authorization server MUST allow any port to be specified at the
   time of the request for loopback IP redirect URIs, to accommodate
   clients that obtain an available ephemeral port from the operating
   system at the time of the request.

It seems some providers do not support it.

[hectorj2f]

@tuananh I've worked on adding the redirect uri's flag during the weekend. I need to run couple of additional tests, but I'll open a PR tomorrow.