update

laurentsimon · laurentsimon · commit 329bd063d446 · 2023-06-02T17:57:37.000Z
Signed-off-by: laurentsimon &lt;laurentsimon@google.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,9 @@ All versions prior to 0.9.0 are untracked.
 
 ### Changed
 
+* CLI now supports a `--oauth-force-oob` option.
+  ([#667](https://github.com/sigstore/sigstore-python/pull/667))
+
 * `sigstore verify` now performs additional verification of Rekor's inclusion
   proofs by cross-checking them against signed checkpoints
   ([#634](https://github.com/sigstore/sigstore-python/pull/634))
diff --git a/README.md b/README.md
@@ -160,6 +160,7 @@ OpenID Connect options:
                         (e.g. on GitHub Actions) (default: False)
   --oidc-issuer URL     The OpenID Connect issuer to use (conflicts with
                         --staging) (default: https://oauth2.sigstore.dev/auth)
+  --oauth-force-oob     Force an out-of-band OAuth flow and do not automatically start the default web browser (default: False)
 
 Output options:
   --no-default-files    Don't emit the default output files ({input}.sigstore)
diff --git a/sigstore/_cli.py b/sigstore/_cli.py
@@ -222,10 +222,10 @@ def _add_shared_oidc_options(
         help="The OpenID Connect issuer to use (conflicts with --staging)",
     )
     group.add_argument(
-        "--oidc-disable-default-browser",
+        "--oauth-force-oob",
         action="store_true",
-        default=_boolify_env("SIGSTORE_OIDC_DISABLE_DEFAULT_BROWSER"),
-        help="Do not start the default web browser to complete the OAuth flow. Instead display a web link to the user.",
+        default=_boolify_env("SIGSTORE_OAUTH_FORCE_OOB"),
+        help="Force an out-of-band OAuth flow and do not automatically start the default web browser",
     )
 
 
@@ -972,7 +972,7 @@ def _get_identity(args: argparse.Namespace) -> Optional[IdentityToken]:
     token = issuer.identity_token(
         client_id=args.oidc_client_id,
         client_secret=args.oidc_client_secret,
-        force_oob=args.oidc_disable_default_browser,
+        force_oob=args.oath_force_oob,
     )
 
     return token
diff --git a/sigstore/oidc.py b/sigstore/oidc.py
@@ -255,7 +255,7 @@ def identity_token(  # nosec: B107
         Retrieves and returns an `IdentityToken` from the current `Issuer`, via OAuth.
 
         This function blocks on user interaction, either via a web browser or an out-of-band
-        OAuth flow.
+        OAuth flow. When force_oob, the out-of-band flow is always used.
         """
 
         # This function and the components that it relies on are based off of:

Original file line number	Diff line number	Diff line change
`@@ -222,10 +222,10 @@ def _add_shared_oidc_options(`
`222`	`222`	`help="The OpenID Connect issuer to use (conflicts with --staging)",`
`223`	`223`	`)`
`224`	`224`	`group.add_argument(`
`225`		`- "--oidc-disable-default-browser",`
	`225`	`+ "--oauth-force-oob",`
`226`	`226`	`action="store_true",`
`227`		`- default=_boolify_env("SIGSTORE_OIDC_DISABLE_DEFAULT_BROWSER"),`
`228`		`- help="Do not start the default web browser to complete the OAuth flow. Instead display a web link to the user.",`
	`227`	`+ default=_boolify_env("SIGSTORE_OAUTH_FORCE_OOB"),`
	`228`	`+ help="Force an out-of-band OAuth flow and do not automatically start the default web browser",`
`229`	`229`	`)`
`230`	`230`
`231`	`231`
`@@ -972,7 +972,7 @@ def _get_identity(args: argparse.Namespace) -> Optional[IdentityToken]:`
`972`	`972`	`token = issuer.identity_token(`
`973`	`973`	`client_id=args.oidc_client_id,`
`974`	`974`	`client_secret=args.oidc_client_secret,`
`975`		`- force_oob=args.oidc_disable_default_browser,`
	`975`	`+ force_oob=args.oath_force_oob,`
`976`	`976`	`)`
`977`	`977`
`978`	`978`	`return token`