Merge branch 'master' into int128/Add----oidc-access-type-

Add --oidc-access-type
2026-03-02 17:00:20 +00:00 · 2025-11-24 21:24:10 +09:00 · 2025-11-23 14:52:23 +09:00 · 2025-07-13 15:11:47 +09:00 · 2025-07-13 14:17:30 +09:00
5 changed files with 25 additions and 8 deletions
--- a/docs/usage.md
+++ b/docs/usage.md
@@ -31,6 +31,7 @@ Flags:
      --local-server-cert string                        [authcode] Certificate path for the local server
      --local-server-key string                         [authcode] Certificate key path for the local server
      --open-url-after-authentication string            [authcode] If set, open the URL in the browser after authentication
+      --oidc-access-type string                         [authcode, authcode-keyboard] Access type of the authentication request (default "offline")
      --oidc-auth-request-extra-params stringToString   [authcode, authcode-keyboard, client-credentials] Extra query parameters to send with an authentication request (default [])
      --username string                                 [password] Username for resource owner password credentials grant
      --password string                                 [password] Password for resource owner password credentials grant
--- a/pkg/cmd/authentication.go
+++ b/pkg/cmd/authentication.go
@@ -23,6 +23,7 @@ type authenticationOptions struct {
 	LocalServerCertFile        string
 	LocalServerKeyFile         string
 	OpenURLAfterAuthentication string
+	AuthRequestAccessType      string
 	AuthRequestExtraParams     map[string]string
 	Username                   string
 	Password                   string
@@ -46,6 +47,7 @@ func (o *authenticationOptions) addFlags(f *pflag.FlagSet) {
 	f.StringVar(&o.LocalServerCertFile, "local-server-cert", "", "[authcode] Certificate path for the local server")
 	f.StringVar(&o.LocalServerKeyFile, "local-server-key", "", "[authcode] Certificate key path for the local server")
 	f.StringVar(&o.OpenURLAfterAuthentication, "open-url-after-authentication", "", "[authcode] If set, open the URL in the browser after authentication")
+	f.StringVar(&o.AuthRequestAccessType, "oidc-access-type", "offline", "[authcode, authcode-keyboard] Access type of the authentication request")
 	f.StringToStringVar(&o.AuthRequestExtraParams, "oidc-auth-request-extra-params", nil, "[authcode, authcode-keyboard, client-credentials] Extra query parameters to send with an authentication request")
 	f.StringVar(&o.Username, "username", "", "[password] Username for resource owner password credentials grant")
 	f.StringVar(&o.Password, "password", "", "[password] Password for resource owner password credentials grant")
@@ -67,10 +69,12 @@ func (o *authenticationOptions) grantOptionSet() (s authentication.GrantOptionSe
 			LocalServerCertFile:        o.LocalServerCertFile,
 			LocalServerKeyFile:         o.LocalServerKeyFile,
 			OpenURLAfterAuthentication: o.OpenURLAfterAuthentication,
+			AuthRequestAccessType:      o.AuthRequestAccessType,
 			AuthRequestExtraParams:     o.AuthRequestExtraParams,
 		}
 	case o.GrantType == "authcode-keyboard":
 		s.AuthCodeKeyboardOption = &authcode.KeyboardOption{
+			AuthRequestAccessType:  o.AuthRequestAccessType,
 			AuthRequestExtraParams: o.AuthRequestExtraParams,
 		}
 	case o.GrantType == "password" || (o.GrantType == "auto" && o.Username != ""):
--- a/pkg/oidc/client/authcode.go
+++ b/pkg/oidc/client/authcode.go
@@ -15,6 +15,7 @@ type AuthCodeURLInput struct {
 	State                  string
 	Nonce                  string
 	PKCEParams             pkce.Params
+	AccessType             string
 	AuthRequestExtraParams map[string]string
 }

@@ -25,6 +26,7 @@ type ExchangeAuthCodeInput struct {
 }

 type GetTokenByAuthCodeInput struct {
+	AuthCodeURLInput
 	BindAddress            []string
 	State                  string
 	Nonce                  string
@@ -45,7 +47,7 @@ func (c *client) GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeIn
 	config := oauth2cli.Config{
 		OAuth2Config:           c.oauth2Config,
 		State:                  in.State,
-		AuthCodeOptions:        authorizationRequestOptions(in.Nonce, in.PKCEParams, in.AuthRequestExtraParams),
+		AuthCodeOptions:        authorizationRequestOptions(in.AuthCodeURLInput),
 		TokenRequestOptions:    tokenRequestOptions(in.PKCEParams),
 		LocalServerBindAddress: in.BindAddress,
 		LocalServerReadyChan:   localServerReadyChan,
@@ -63,8 +65,7 @@ func (c *client) GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeIn

 // GetAuthCodeURL returns the URL of authentication request for the authorization code flow.
 func (c *client) GetAuthCodeURL(in AuthCodeURLInput) string {
-	opts := authorizationRequestOptions(in.Nonce, in.PKCEParams, in.AuthRequestExtraParams)
-	return c.oauth2Config.AuthCodeURL(in.State, opts...)
+	return c.oauth2Config.AuthCodeURL(in.State, authorizationRequestOptions(in)...)
 }

 // ExchangeAuthCode exchanges the authorization code and token.
@@ -78,15 +79,17 @@ func (c *client) ExchangeAuthCode(ctx context.Context, in ExchangeAuthCodeInput)
 	return c.verifyToken(ctx, token, in.Nonce)
 }

-func authorizationRequestOptions(nonce string, pkceParams pkce.Params, extraParams map[string]string) []oauth2.AuthCodeOption {
+func authorizationRequestOptions(in AuthCodeURLInput) []oauth2.AuthCodeOption {
 	opts := []oauth2.AuthCodeOption{
-		oauth2.AccessTypeOffline,
-		gooidc.Nonce(nonce),
+		gooidc.Nonce(in.Nonce),
 	}
-	if pkceOpt := pkceParams.AuthCodeOption(); pkceOpt != nil {
+	if in.AccessType != "" {
+		opts = append(opts, oauth2.SetAuthURLParam("access_type", in.AccessType))
+	}
+	if pkceOpt := in.PKCEParams.AuthCodeOption(); pkceOpt != nil {
 		opts = append(opts, pkceOpt)
 	}
-	for key, value := range extraParams {
+	for key, value := range in.AuthRequestExtraParams {
 		opts = append(opts, oauth2.SetAuthURLParam(key, value))
 	}
 	return opts
--- a/pkg/usecases/authentication/authcode/browser.go
+++ b/pkg/usecases/authentication/authcode/browser.go
@@ -19,6 +19,7 @@ type BrowserOption struct {
 	BindAddress                []string
 	AuthenticationTimeout      time.Duration
 	OpenURLAfterAuthentication string
+	AuthRequestAccessType      string
 	AuthRequestExtraParams     map[string]string
 	LocalServerCertFile        string
 	LocalServerKeyFile         string
@@ -49,6 +50,13 @@ func (u *Browser) Do(ctx context.Context, o *BrowserOption, oidcClient client.In
 		successHTML = BrowserRedirectHTML(o.OpenURLAfterAuthentication)
 	}
 	in := client.GetTokenByAuthCodeInput{
+		AuthCodeURLInput: client.AuthCodeURLInput{
+			State:                  state,
+			Nonce:                  nonce,
+			PKCEParams:             pkceParams,
+			AccessType:             o.AuthRequestAccessType,
+			AuthRequestExtraParams: o.AuthRequestExtraParams,
+		},
 		BindAddress:            o.BindAddress,
 		State:                  state,
 		Nonce:                  nonce,
--- a/pkg/usecases/authentication/authcode/keyboard.go
+++ b/pkg/usecases/authentication/authcode/keyboard.go
@@ -14,6 +14,7 @@ import (
 const keyboardPrompt = "Enter code: "

 type KeyboardOption struct {
+	AuthRequestAccessType  string
 	AuthRequestExtraParams map[string]string
 }
Author	SHA1	Message	Date
Hidetake Iwata	1ecd149388	Merge branch 'master' into int128/Add----oidc-access-type-	2025-11-24 21:24:10 +09:00
Hidetake Iwata	c0c507b787	Merge branch 'master' into int128/Add----oidc-access-type-	2025-11-23 14:52:23 +09:00
Hidetake Iwata	8ffa0cbda0	Add `--oidc-access-type`	2025-07-13 15:11:47 +09:00
Hidetake Iwata	556c96e777	Refactor authcode.go	2025-07-13 14:17:30 +09:00