Add ssh authenatication with jwt (#4550)

2026-04-23 02:36:42 +00:00 · 2025-10-07 23:38:27 +02:00
parent 7e0bbaaa3c
commit d9efe4e944
50 changed files with 4429 additions and 2336 deletions
--- a/client/proto/daemon.proto
+++ b/client/proto/daemon.proto
@@ -87,6 +87,12 @@ service DaemonService {

  // GetPeerSSHHostKey retrieves SSH host key for a specific peer
  rpc GetPeerSSHHostKey(GetPeerSSHHostKeyRequest) returns (GetPeerSSHHostKeyResponse) {}
+
+  // RequestJWTAuth initiates JWT authentication flow for SSH
+  rpc RequestJWTAuth(RequestJWTAuthRequest) returns (RequestJWTAuthResponse) {}
+  
+  // WaitJWTToken waits for JWT authentication completion
+  rpc WaitJWTToken(WaitJWTTokenRequest) returns (WaitJWTTokenResponse) {}
 }


@@ -166,6 +172,7 @@ message LoginRequest {
  optional bool enableSSHSFTP = 34;
  optional bool enableSSHLocalPortForwarding = 35;
  optional bool enableSSHRemotePortForwarding = 36;
+  optional bool disableSSHAuth = 37;
 }

 message LoginResponse {
@@ -268,6 +275,8 @@ message GetConfigResponse {
  bool enableSSHLocalPortForwarding = 22;

  bool enableSSHRemotePortForwarding = 23;
+
+  bool disableSSHAuth = 25;
 }

 // PeerState contains the latest state of a peer
@@ -612,6 +621,7 @@ message SetConfigRequest {
  optional bool enableSSHSFTP = 30;
  optional bool enableSSHLocalPortForward = 31;
  optional bool enableSSHRemotePortForward = 32;
+  optional bool disableSSHAuth = 33;
 }

 message SetConfigResponse{}
@@ -681,3 +691,43 @@ message GetPeerSSHHostKeyResponse {
  // indicates if the SSH host key was found
  bool found = 4;
 }
+
+// RequestJWTAuthRequest for initiating JWT authentication flow
+message RequestJWTAuthRequest {
+}
+
+// RequestJWTAuthResponse contains authentication flow information
+message RequestJWTAuthResponse {
+  // verification URI for user authentication
+  string verificationURI = 1;
+  // complete verification URI (with embedded user code)
+  string verificationURIComplete = 2;
+  // user code to enter on verification URI
+  string userCode = 3;
+  // device code for polling
+  string deviceCode = 4;
+  // expiration time in seconds
+  int64 expiresIn = 5;
+  // if a cached token is available, it will be returned here
+  string cachedToken = 6;
+  // maximum age of JWT tokens in seconds (from management server)
+  int64 maxTokenAge = 7;
+}
+
+// WaitJWTTokenRequest for waiting for authentication completion
+message WaitJWTTokenRequest {
+  // device code from RequestJWTAuthResponse
+  string deviceCode = 1;
+  // user code for verification
+  string userCode = 2;
+}
+
+// WaitJWTTokenResponse contains the JWT token after authentication
+message WaitJWTTokenResponse {
+  // JWT token (access token or ID token)
+  string token = 1;
+  // token type (e.g., "Bearer")
+  string tokenType = 2;
+  // expiration time in seconds
+  int64 expiresIn = 3;
+}