github.com/rstandt/terraform@v0.12.32-0.20230710220336-b1063613405c/website/docs/internals/login-protocol.html.markdown (about) 1 --- 2 layout: "docs" 3 page_title: "Login Protocol" 4 sidebar_current: "docs-internals-login-protocol" 5 description: |- 6 The login protocol is used for authenticating Terraform against servers providing Terraform-native services. 7 --- 8 9 # Server-side Login Protocol 10 11 ~> **Note:** You don't need to read these docs to _use_ 12 [`terraform login`](/docs/commands/login.html). The information below is for 13 anyone intending to implement the server side of `terraform login` in order to 14 offer Terraform-native services in a third-party system. 15 16 The `terraform login` command supports performing an OAuth 2.0 authorization 17 request using configuration provided by the target host. You may wish to 18 implement this protocol if you are producing a third-party implementation of 19 any [Terraform-native services](/docs/internals/remote-service-discovery.html), 20 such as a Terraform module registry. 21 22 First, Terraform uses 23 [remote service discovery](/docs/internals/remote-service-discovery.html) to 24 find the OAuth configuration for the host. The host must support the service 25 name `login.v1` and define for it an object containing OAuth client 26 configuration values, like this: 27 28 ```json 29 { 30 "login.v1": { 31 "client": "terraform-cli", 32 "grant_types": ["authz_code"], 33 "authz": "/oauth/authorization", 34 "token": "/oauth/token", 35 "ports": [10000, 10010], 36 } 37 } 38 ``` 39 40 The properties within the discovery object are as follows: 41 42 * `client` (Required): The `client_id` value to use when making requests, as 43 defined in [RFC 6749 section 2.2](https://tools.ietf.org/html/rfc6749#section-2.2). 44 45 Because Terraform is a _public client_ (it is installed on end-user systems 46 and thus cannot protect an OAuth client secret), the `client_id` is purely 47 advisory and the server must not use it as a guarantee that an authorization 48 request is truly coming from Terraform. 49 50 * `grant_types` (Optional): A JSON array of strings describing a set of OAuth 51 2.0 grant types the server is able to support. A "grant type" selects a 52 specific mechanism by which an OAuth server authenticates the request and 53 issues an authorization token. 54 55 Terraform CLI currently only supports a single grant type: 56 57 * `authz_code`: [authorization code grant](https://tools.ietf.org/html/rfc6749#section-4.1). 58 Both the `authz` and `token` properties are required when `authz_code` is 59 present. 60 61 Other grant types may be supported in future versions of Terraform CLI, 62 and may impose different requirements on the `authz` and `token` properties. 63 If not specified, `grant_types` defaults to `["authz_code"]`. 64 65 * `authz` (Required if needed for a given grant type): the server's 66 [authorization endpoint](https://tools.ietf.org/html/rfc6749#section-3.1). 67 If given as a relative URL, it is resolved from the location of the 68 service discovery document. 69 70 * `token` (Required if needed for a given grant type): the server's 71 [token endpoint](https://tools.ietf.org/html/rfc6749#section-3.2). 72 If given as a relative URL, it is resolved from the location of the 73 service discovery document. 74 75 * `ports` (Optional): A two-element JSON array giving an inclusive range of 76 TCP ports that Terraform may use for the temporary HTTP server it will start 77 to provide the [redirection endpoint](https://tools.ietf.org/html/rfc6749#section-3.1.2) 78 for the first step of an authorization code grant. Terraform opens a TCP 79 listen port on the loopback interface in order to receive the response from 80 the server's authorization endpoint. 81 82 If not specified, Terraform is free to select any TCP port greater than or 83 equal to 1024. 84 85 Terraform allows constraining this port range for interoperability with OAuth 86 server implementations that require each `client_id` to be associated with 87 a fixed set of valid redirection endpoint URLs. Configure such a server 88 to expect a range of URLs of the form `http://localhost:10000/` 89 with different consecutive port numbers, and then specify that port range 90 using `ports`. 91 92 We recommend allowing at least 10 distinct port numbers if possible, and 93 assigning them to numbers greater than or equal to 10000, to minimize the 94 risk that all of the possible ports will already be in use on a particular 95 system. 96 97 When requesting an authorization code grant, Terraform CLI implements the 98 [Proof Key for Code Exchange](https://tools.ietf.org/html/rfc7636) extension in 99 order to protect against other applications on the system intercepting the 100 incoming request to the redirection endpoint. We strongly recommend that you 101 select an OAuth server implementation that also implements this extension and 102 verifies the code challenge sent to the token endpoint. 103 104 Terraform CLI does not support OAuth refresh tokens or token expiration. If your 105 server issues time-limited tokens, Terraform CLI will simply begin receiving 106 authorization errors once the token expires, after which the user can run 107 `terraform login` again to obtain a new token. 108 109 -> **Note:** As a special case, Terraform can use a 110 [Resource Owner Password Credentials Grant](https://tools.ietf.org/html/rfc6749#section-4.3) 111 only when interacting with `app.terraform.io` ([Terraform Cloud](/docs/cloud/index.html)), 112 under the recommendation in the OAuth specification to use this grant type only 113 when the client and server are closely related. The `password` grant type is 114 not supported for any other hostname and will be ignored.