Hi all, I’m trying to access GraphQL API with datahub-frontend. I want to use the GraphQL API in CLI, but I can’t find how to get the auth cookie without using browser. I tried adding additional oidc callback uri to Okta,

localhost:<PORT>/callback/oidc

, and make a flask server that can get <STATE> and <CODE>. (reference https://developer.okta.com/blog/2018/07/16/oauth-2-command-line) But when I make a GET request to

http://<DATAHUB_URL>/callback/oidc?code=<CODE>&state=<STATE>

, It makes redirect-uri mismatch error. (

Bad token response, error=invalid_grant

) Is there any great way to get the auth cookie without using browser? (I’m using Okta OIDC.)

@big-carpet-38439 any ideas on using oidc through the API? Sidenote, GraphQL end points are exposed in gms as well which is not behind an auth wall.

@abundant-flag-19546 Currently getting the auth cookie is not straightforward if you're using OIDC. This is because OIDC requires the sign in flow (ie a web browser) to kick off. That being said, you can programmatically log in using username and password. This call will return a

Set-Cookie

header that you can use in subsequent requests. How could this work better for you?

@big-carpet-38439 That can be a good way to access GraphQL programmatically, but we should be able to authenticate and authorize(with datahub policies) each employee using Okta. (That's why we can't expose GMS to all.)

You can authenticate and authorize each employee using Okta integrated over OIDC

Hello @big-carpet-38439, I am working with @abundant-flag-19546 to solve this issue. We already saw that Datahub automatically provisions each user when login to Datahub web application. What we want to do is to allow CLI-based OIDC authentication to Datahub. (Similar experience with

gcloud init

) We need to execute read action in programmatic way with controlled permission based on OIDC credentials. Do we have any solution for this?