Skip to content

oidc: allow setting redirect server port#1768

Open
antonio-mazzini wants to merge 1 commit intosigstore:mainfrom
antonio-mazzini:feat/oidc-redirect-port
Open

oidc: allow setting redirect server port#1768
antonio-mazzini wants to merge 1 commit intosigstore:mainfrom
antonio-mazzini:feat/oidc-redirect-port

Conversation

@antonio-mazzini
Copy link
Copy Markdown

@antonio-mazzini antonio-mazzini commented May 8, 2026

Summary

Adds an optional redirect_port argument to Issuer.identity_token
so callers can bind the local OAuth redirect server to a fixed port
instead of always using an ephemeral one.

Some enterprise OIDC providers (and Microsoft Entra ID under certain
configurations) require a pre-registered redirect URI and do not allow
wildcards on localhost ports, which currently blocks sigstore-python
from being used in those environments. cosign already exposes a
--oidc-redirect-url flag that solves the same problem on the CLI side.

The default of 0 preserves the existing behaviour (OS-assigned port).

Closes #1029

Test plan

  • make lint — ruff/mypy/bandit/interrogate green
  • pytest test/unit — 177 passed, no regressions
  • New unit test test_identity_token_passes_redirect_port verifies
    the parameter is forwarded to the OAuth flow

@antonio-mazzini
oidc: allow setting redirect server port
bc46032 
Add a redirect_port parameter to Issuer.identity_token so callers can
bind the local OAuth redirect server to a fixed port. Useful for OIDC
providers that require a pre-registered redirect URI without localhost
port wildcards.

Closes sigstore#1029

Signed-off-by: Antonio Mazzini <antoniomazzini55@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Allow setting of redirect uri port

1 participant

@antonio-mazzini