Skip to content

feat: add GitHub Device Authorization Grant (CLI auth) to GithubLoginHandler#1510

Open
Mukesh-M-Lohar wants to merge 4 commits into
mher:masterfrom
Mukesh-M-Lohar:feat/github-device-auth
Open

feat: add GitHub Device Authorization Grant (CLI auth) to GithubLoginHandler#1510
Mukesh-M-Lohar wants to merge 4 commits into
mher:masterfrom
Mukesh-M-Lohar:feat/github-device-auth

Conversation

@Mukesh-M-Lohar

@Mukesh-M-Lohar Mukesh-M-Lohar commented Jun 28, 2026

Copy link
Copy Markdown

Summary

Adds support for the GitHub Device Authorization Grant (RFC 8628) directly inside the existing GithubLoginHandler, enabling CLI / browserless authentication without a separate handler class.

This is particularly useful when building custom integrations like Model Context Protocol (MCP) servers, allowing headless CLI environments to securely authenticate and access the tasks API.

Also documents the FLOWER_GITHUB_OAUTH_DOMAIN environment variable which partially addresses #1308 (GitHub Enterprise Server support).

How to Test

Setup

Configure flowerconfig.py with GitHub OAuth details and start Flower:

celery flower --auth_provider="flower.views.auth.GithubLoginHandler" \
              --auth="your-email@example.com" \
              --oauth2_key="<client_id>" \
              --oauth2_secret="<client_secret>"

Steps

  1. Request Device Code (POST):

    curl -X POST http://localhost:5555/login

    Expected Response: JSON containing device_code, user_code, verification_uri.

  2. Authorize Device:
    Go to the verification_uri in your browser and enter the user_code.

  3. Poll for Auth status (GET):
    Query the polling endpoint:

    curl -i "http://localhost:5555/login?device_code=<device_code>"
    • Before authorization: Returns 202 Accepted (authorization_pending).
    • After authorization: Returns 302 Found with Location: / and sets the session cookie.

Changes

flower/views/auth.py

  • Added _OAUTH_DEVICE_CODE_URL class attribute
  • Added post() — device flow step 1: requests device_code + user_code from GitHub, returns JSON
  • Added _device_poll() — device flow step 2: polls for access token, returns 202 while pending, 302 on success
  • Existing web OAuth flow (GET /login, GET /login?code=…) is unchanged

tests/unit/views/test_auth.py

  • 4 new unit tests covering: device code request (POST), authorization pending (202), auth error (403), and successful auth with cookie + redirect (302)

docs/auth.rst

No breaking changes

The existing OAuth web flow behaviour is fully preserved.

…Handler

- POST /login: requests device_code + user_code from GitHub (RFC 8628)
- GET /login?device_code=…: polls for token; 202 while pending, 302 on success
- Existing web OAuth flow (GET /login, GET /login?code=…) unchanged
- Added _OAUTH_DEVICE_CODE_URL and _device_poll() to GithubLoginHandler
- 4 new unit tests covering device flow branches
- docs: document device auth subsection and FLOWER_GITHUB_OAUTH_DOMAIN env var
@Mukesh-M-Lohar Mukesh-M-Lohar marked this pull request as draft June 28, 2026 04:50
@Mukesh-M-Lohar Mukesh-M-Lohar marked this pull request as ready for review June 28, 2026 04:56
@Mukesh-M-Lohar

Copy link
Copy Markdown
Author

@auvipy could you review this PR

@Mukesh-M-Lohar

Copy link
Copy Markdown
Author

Hi! I have implemented the GitHub Device Authorization Grant (CLI auth) flow and updated the unit tests/documentation.

All 10 unit tests are passing successfully locally. Could a maintainer please approve the workflow run so that the CI checks can verify? Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants