added redirect-url to interactive mode (#661)

Author: weinong

docs/book/src/cli/convert-kubeconfig.md

@@ -34,6 +34,7 @@ Flags:
       --password string                      password for ropc login flow. It may be specified in AAD_USER_PRINCIPAL_PASSWORD or AZURE_PASSWORD environment variable
       --pop-claims key=val,key2=val2         contains a comma-separated list of claims to attach to the pop token in the format key=val,key2=val2. At minimum, specify the ARM ID of the cluster as `u=ARM_ID`
       --pop-enabled                          set to true to use a PoP token for authentication or false to use a regular bearer token
+      --redirect-url string                  The URL Microsoft Entra ID will redirect to with the access token. This is only used for interactive login. This is an optional parameter.
       --server-id string                     AAD server application ID
   -t, --tenant-id string                     AAD tenant ID. It may be specified in AZURE_TENANT_ID environment variable
       --timeout duration                     Timeout duration for Azure CLI token requests. It may be specified in AZURE_CLI_TIMEOUT environment variable (default 30s)

docs/book/src/cli/get-token.md

@@ -29,6 +29,7 @@ Flags:
       --password string                      password for ropc login flow. It may be specified in AAD_USER_PRINCIPAL_PASSWORD or AZURE_PASSWORD environment variable
       --pop-claims key=val,key2=val2         contains a comma-separated list of claims to attach to the pop token in the format key=val,key2=val2. At minimum, specify the ARM ID of the cluster as `u=ARM_ID`
       --pop-enabled                          set to true to use a PoP token for authentication or false to use a regular bearer token
+      --redirect-url string                  The URL Microsoft Entra ID will redirect to with the access token. This is only used for interactive login. This is an optional parameter.
       --server-id string                     AAD server application ID
   -t, --tenant-id string                     AAD tenant ID. It may be specified in AZURE_TENANT_ID environment variable
       --timeout duration                     Timeout duration for Azure CLI token requests. It may be specified in AZURE_CLI_TIMEOUT environment variable (default 30s)

docs/book/src/concepts/login-modes/interactive.md

@@ -1,12 +1,14 @@
 # Web Browser Interactive
 
 This login mode will automatically open a browser to login the user. 
-Once authenticated, the browser will redirect back to a local web server with the credentials. 
+Once authenticated, the browser will redirect back to a local web server with access token.
+The redirect URL can be set via `--redirect-url`.
 This login mode complies with Conditional Access policy.
 
 ## Usage Examples
 
 ### Bearer token with interactive flow
+
 ```sh
 export KUBECONFIG=/path/to/kubeconfig
 
@@ -15,7 +17,19 @@ kubelogin convert-kubeconfig -l interactive
 kubectl get nodes
 ```
 
+### Specifying Redirect URL
+
+```sh
+export KUBECONFIG=/path/to/kubeconfig
+
+kubelogin convert-kubeconfig -l interactive --redirect-url http://localhost:8080
+
+kubectl get nodes
+```
+
+
 ### Proof-of-possession (PoP) token with interactive flow
+
 ```sh
 export KUBECONFIG=/path/to/kubeconfig
 

pkg/internal/converter/convert.go

@@ -37,6 +37,7 @@ const (
 	argIsPoPTokenEnabled          = "--pop-enabled"
 	argPoPTokenClaims             = "--pop-claims"
 	argDisableEnvironmentOverride = "--disable-environment-override"
+	argRedirectURL                = "--redirect-url"
 
 	flagAzureConfigDir             = "azure-config-dir"
 	flagClientID                   = "client-id"
@@ -59,6 +60,7 @@ const (
 	flagIsPoPTokenEnabled          = "pop-enabled"
 	flagPoPTokenClaims             = "pop-claims"
 	flagDisableEnvironmentOverride = "disable-environment-override"
+	flagRedirectURL                = "redirect-url"
 
 	execName        = "kubelogin"
 	getTokenCommand = "get-token"
@@ -78,7 +80,8 @@ func getArgValues(o Options, authInfo *api.AuthInfo) (
 	argEnvironmentVal,
 	argTenantIDVal,
 	argAuthRecordCacheDirVal,
-	argPoPTokenClaimsVal string,
+	argPoPTokenClaimsVal,
+	argRedirectURLVal string,
 	argIsLegacyConfigModeVal,
 	argIsPoPTokenEnabledVal bool,
 ) {
@@ -164,6 +167,12 @@ func getArgValues(o Options, authInfo *api.AuthInfo) (
 		argPoPTokenClaimsVal = getExecArg(authInfo, argPoPTokenClaims)
 	}
 
+	if o.isSet(flagRedirectURL) {
+		argRedirectURLVal = o.TokenOptions.RedirectURL
+	} else {
+		argRedirectURLVal = getExecArg(authInfo, argRedirectURL)
+	}
+
 	return
 }
 
@@ -233,7 +242,15 @@ func Convert(o Options, pathOptions *clientcmd.PathOptions) error {
 
 		klog.V(5).Info("converting...")
 
-		argServerIDVal, argClientIDVal, argEnvironmentVal, argTenantIDVal, argAuthRecordCacheDirVal, argPoPTokenClaimsVal, isLegacyConfigMode, isPoPTokenEnabled := getArgValues(o, authInfo)
+		argServerIDVal,
+			argClientIDVal,
+			argEnvironmentVal,
+			argTenantIDVal,
+			argAuthRecordCacheDirVal,
+			argPoPTokenClaimsVal,
+			argRedirectURLVal,
+			isLegacyConfigMode,
+			isPoPTokenEnabled := getArgValues(o, authInfo)
 		exec := &api.ExecConfig{
 			Command: execName,
 			Args: []string{
@@ -328,6 +345,10 @@ func Convert(o Options, pathOptions *clientcmd.PathOptions) error {
 				return err
 			}
 
+			if argRedirectURLVal != "" {
+				exec.Args = append(exec.Args, argRedirectURL, argRedirectURLVal)
+			}
+
 		case token.ServicePrincipalLogin:
 
 			if argClientIDVal == "" {

pkg/internal/converter/convert_test.go

@@ -32,6 +32,7 @@ func TestConvert(t *testing.T) {
 		federatedTokenFile = "/tmp/file"
 		authRecordCacheDir = "/tmp/token_dir"
 		azureCLIDir        = "/tmp/foo"
+		redirectURL        = "http://localhost:8000"
 	)
 	testData := []struct {
 		name                string
@@ -1208,6 +1209,35 @@ func TestConvert(t *testing.T) {
 			},
 			command: execName,
 		},
+		{
+			name: "with exec format kubeconfig, convert from devicecode to interactive with redirect url override",
+			execArgItems: []string{
+				getTokenCommand,
+				argServerID, serverID,
+				argClientID, clientID,
+				argTenantID, tenantID,
+				argEnvironment, envName,
+				argLoginMethod, token.DeviceCodeLogin,
+			},
+			overrideFlags: map[string]string{
+				flagLoginMethod: token.InteractiveLogin,
+				flagServerID:    serverID,
+				flagClientID:    clientID,
+				flagTenantID:    tenantID,
+				flagEnvironment: envName,
+				flagRedirectURL: redirectURL,
+			},
+			expectedArgs: []string{
+				getTokenCommand,
+				argServerID, serverID,
+				argClientID, clientID,
+				argTenantID, tenantID,
+				argEnvironment, envName,
+				argLoginMethod, token.InteractiveLogin,
+				argRedirectURL, redirectURL,
+			},
+			command: execName,
+		},
 		{
 			name: "convert with context specified, auth info not specified by the context should not be changed",
 			authProviderConfig: map[string]string{

pkg/internal/token/interactivebrowsercredential.go

@@ -42,6 +42,7 @@ func newInteractiveBrowserCredential(opts *Options, record azidentity.Authentica
 		ClientID:                 opts.ClientID,
 		TenantID:                 opts.TenantID,
 		DisableInstanceDiscovery: opts.DisableInstanceDiscovery,
+		RedirectURL:              opts.RedirectURL,
 	}
 
 	if opts.httpClient != nil {

pkg/internal/token/options.go

@@ -41,6 +41,7 @@ type Options struct {
 	UsePersistentCache         bool
 	DisableInstanceDiscovery   bool
 	httpClient                 *http.Client
+	RedirectURL                string
 }
 
 const (
@@ -119,6 +120,7 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&o.PoPTokenClaims, "pop-claims", o.PoPTokenClaims, "contains a comma-separated list of claims to attach to the pop token in the format `key=val,key2=val2`. At minimum, specify the ARM ID of the cluster as `u=ARM_ID`")
 	fs.BoolVar(&o.DisableEnvironmentOverride, "disable-environment-override", o.DisableEnvironmentOverride, "Enable or disable the use of env-variables. Default false")
 	fs.BoolVar(&o.DisableInstanceDiscovery, "disable-instance-discovery", o.DisableInstanceDiscovery, "set to true to disable instance discovery in environments with their own simple Identity Provider (not AAD) that do not have instance metadata discovery endpoint. Default false")
+	fs.StringVar(&o.RedirectURL, "redirect-url", o.RedirectURL, "The URL Microsoft Entra ID will redirect to with the access token. This is only used for interactive login. This is an optional parameter.")
 }
 
 func (o *Options) Validate() error {
@@ -275,19 +277,23 @@ func (o *Options) GetCloudConfiguration() cloud.Configuration {
 
 func (o *Options) ToString() string {
 	azureConfigDir := os.Getenv("AZURE_CONFIG_DIR")
-	return fmt.Sprintf("Login Method: %s, Environment: %s, TenantID: %s, ServerID: %s, ClientID: %s, IsLegacy: %t, msiResourceID: %s, Timeout: %v, authRecordCacheDir: %s, tokenauthRecordFile: %s, AZURE_CONFIG_DIR: %s",
-		o.LoginMethod,
-		o.Environment,
-		o.TenantID,
-		o.ServerID,
-		o.ClientID,
-		o.IsLegacy,
-		o.IdentityResourceID,
-		o.Timeout,
-		o.AuthRecordCacheDir,
-		o.authRecordCacheFile,
-		azureConfigDir,
-	)
+
+	parts := []string{
+		fmt.Sprintf("Login Method: %s", o.LoginMethod),
+		fmt.Sprintf("Environment: %s", o.Environment),
+		fmt.Sprintf("TenantID: %s", o.TenantID),
+		fmt.Sprintf("ServerID: %s", o.ServerID),
+		fmt.Sprintf("ClientID: %s", o.ClientID),
+		fmt.Sprintf("IsLegacy: %t", o.IsLegacy),
+		fmt.Sprintf("msiResourceID: %s", o.IdentityResourceID),
+		fmt.Sprintf("Timeout: %v", o.Timeout),
+		fmt.Sprintf("authRecordCacheDir: %s", o.AuthRecordCacheDir),
+		fmt.Sprintf("tokenauthRecordFile: %s", o.authRecordCacheFile),
+		fmt.Sprintf("AZURE_CONFIG_DIR: %s", azureConfigDir),
+		fmt.Sprintf("RedirectURL: %s", o.RedirectURL),
+	}
+
+	return strings.Join(parts, ", ")
 }
 
 func getAuthenticationRecordFileName(o *Options) string {