[Feature] Support OAuth2 authorization flow when localhost redirect URIs are not allowed

[elebeaup]

Is your feature request related to a problem? Please describe.
The OAuth2 authorization process typically relies on a redirect_uri pointing to a localhost address (e.g., http://localhost:9000) so that the application can capture the authorization_code.
However, some OAuth providers do not allow localhost redirect URIs.
In this case, it becomes impossible to retrieve the authorization_code and complete the token exchange flow.

Describe the solution you'd like
Add an option allowing the user to choose how the authorization URL is launched:

• either with the system browser (current behavior),
• or by executing an external program, such as a small Node.js script that opens a WebView (e.g., Electron).

An example of an external program that :

• open a webview
• load the authorization URL in a parameter
• intercept the redirect internally, and then performs a 302 redirect to the local server

#!/usr/bin/env electron

import { app, BrowserWindow } from "electron";

const argv = process.argv.slice(2).reduce((acc, arg) => {
  const i = arg.indexOf("=");
  const key = i == -1 ? arg : arg.slice(0, i);
  const value = i == -1 ? true : arg.slice(i + 1);
  const cleanKey = key.startsWith("--") ? key.slice(2) : key;
  acc[cleanKey] = value;
  return acc;
}, {});

async function createWindow() {
  const authorizeUrl = argv.authorizeUrl;
  const callbackUrl = argv.callbackUrl;
  const resetCookies = argv.resetCookies;
  const url = new URL(authorizeUrl);
  const redirectUrl = url.searchParams.get("redirect_uri");

  const mainWindow = new BrowserWindow({
    width: 900,
    height: 720,
  });

  if (resetCookies) {
    await mainWindow.webContents.session.clearStorageData({
      storages: ["cookies"],
    });
  }

  mainWindow.webContents.on("will-redirect", (event, url) => {
    if (url.startsWith(redirectUrl)) {
      event.preventDefault();
      const interceptedUrl = new URL(url);
      const newCallbackUrl = new URL(callbackUrl);
      interceptedUrl.searchParams.forEach((value, key) => {
        newCallbackUrl.searchParams.append(key, value);
      });
      mainWindow.loadURL(newCallbackUrl.toString());
    }
  });

  mainWindow.loadURL(authorizeUrl);
}

app.whenReady().then(createWindow);

app.on("window-all-closed", () => {
  app.quit();
});

app.on("activate", () => {
  if (BrowserWindow.getAllWindows().length === 0) {
    createWindow();
  }
});

[YaroSpace]

Sounds like a good idea! Let me try this approach.

[elebeaup]

To clarify this feature request, its goal is to configure how the authorization URL is launched, not to provide the external program shown as an example. Users are free to develop the wrapper of their choice (that's my point of view 😁). And thank you very much for your awesome work

[YaroSpace]

Tried it out. This works really well.

Pushed update to develop.

Please check out https://github.com/mistweaverco/kulala.nvim/blob/develop/docs/docs/usage/authentication.md#use-authentication-configuration-in-http-requests.
Note, that the shell script will be passed Auth URL as position argument. Also the server is spawned on port specified in Redirect URL or 80, so the script should default callback_url to http://localhost:80 (or the port in Redirect URL) or set Browser CMD to browser.js your_callback_url and get it in the second position argument for callback_url, because Auth URL is passed as the first arg.

I have not thought of any edge cases, so would be great for any feedback.

[elebeaup]

I can confirm that it works well. This is the feature I was missing compared to the IntelliJ plugin. I just have one feedback: port 80 is denied for normal users on Ubuntu (ports below 1024 can only be opened by root), and in my case, it's often already in use by another process. It would therefore be helpful if, when Browser CMD is defined, the server were launched on a port specified in the configuration options or on a randomly available port.

[YaroSpace]

Ah, yes! Good point! Will change to 8080.

It will listen either on the port specified in callback URL or 8080. Can't be random, otherwise the browser won't know to which port to redirect.

[YaroSpace]

Updated on develop.