Actually put a redirect uri in the response :/

Cargo.toml

@@ -79,6 +79,7 @@ tokio = "1.33.0"
 toml = "0.8.2"
 tracing = "0.1.37"
 tracing-appender = "0.2.2"
+tracing-bunyan-formatter = "0.3.9"
 tracing-core = "0.1.31"
 tracing-slog = { git = "https://github.com/oxidecomputer/tracing-slog" }
 tracing-subscriber = "0.3.17"

rfd-api/Cargo.toml

@@ -49,6 +49,7 @@ toml = { workspace = true }
 trace-request = { path = "../trace-request" }
 tracing = { workspace = true }
 tracing-appender = { workspace = true }
+tracing-bunyan-formatter = { workspace = true }
 tracing-slog = { workspace = true }
 tracing-subscriber = { workspace = true, features = ["env-filter", "fmt", "json"] }
 uuid = { workspace = true, features = ["v4", "serde"]  }

rfd-api/src/endpoints/login/oauth/code.rs

@@ -11,13 +11,13 @@ use http::{
 use hyper::{Body, Response};
 use oauth2::{
     reqwest::async_http_client, AuthorizationCode, CsrfToken, PkceCodeChallenge, PkceCodeVerifier,
-    Scope, TokenResponse,
+    RedirectUrl, Scope, TokenResponse,
 };
 use rfd_model::{schema_ext::LoginAttemptState, LoginAttempt, NewLoginAttempt, OAuthClient};
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use sha2::{Digest, Sha256};
-use std::fmt::Debug;
+use std::{borrow::Cow, fmt::Debug};
 use tap::TapFallible;
 use tracing::instrument;
 use uuid::Uuid;
@@ -207,13 +207,15 @@ pub async fn authz_code_redirect(
     tracing::info!(?attempt.id, "Created login attempt");
 
     Ok(oauth_redirect_response(
+        &ctx.public_url,
         &*provider,
         &attempt,
         pkce_challenge,
     )?)
 }
 
 fn oauth_redirect_response(
+    public_url: &str,
     provider: &dyn OAuthProvider,
     attempt: &LoginAttempt,
     code_challenge: Option<PkceCodeChallenge>,
@@ -231,9 +233,18 @@ fn oauth_redirect_response(
     let login_cookie = HeaderValue::from_str(&format!("{}={}", LOGIN_ATTEMPT_COOKIE, attempt.id))
         .map_err(to_internal_error)?;
 
+    // Construct the url for the remote provider to send the user back to
+    let redirect_url = RedirectUrl::new(format!(
+        "{}/login/oauth/{}/code/callback",
+        public_url,
+        provider.name()
+    ))
+    .unwrap();
+
     // Generate the url to the remote provider that the user will be redirected to
     let mut authz_url = client
         .authorize_url(|| CsrfToken::new(attempt.id.to_string()))
+        .set_redirect_uri(Cow::Owned(redirect_url))
         .add_scopes(
             provider
                 .scopes()
@@ -784,7 +795,8 @@ mod tests {
     #[tokio::test]
     async fn test_remote_provider_redirect_url() {
         let storage = MockStorage::new();
-        let ctx = mock_context(storage).await;
+        let mut ctx = mock_context(storage).await;
+        ctx.public_url = "https://api.oxeng.dev".to_string();
 
         let (challenge, _) = PkceCodeChallenge::new_random_sha256();
         let attempt = LoginAttempt {
@@ -808,6 +820,7 @@ mod tests {
         };
 
         let response = oauth_redirect_response(
+            &ctx.public_url,
             &*ctx
                 .get_oauth_provider(&OAuthProviderName::Google)
                 .await
@@ -817,7 +830,7 @@ mod tests {
         )
         .unwrap();
 
-        let expected_location = format!("https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=google_web_client_id&state={}&code_challenge={}&code_challenge_method=S256&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+openid", attempt.id, challenge.as_str());
+        let expected_location = format!("https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=google_web_client_id&state={}&code_challenge={}&code_challenge_method=S256&redirect_uri=https%3A%2F%2Fapi.oxeng.dev%2Flogin%2Foauth%2Fgoogle%2Fcode%2Fcallback&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+openid", attempt.id, challenge.as_str());
 
         assert_eq!(
             expected_location,

rfd-api/src/endpoints/login/oauth/device_token.rs

@@ -205,6 +205,8 @@ pub async fn exchange_device_token(
                                 "rfd:content:r".to_string(),
                                 "rfd:discussion:r".to_string(),
                                 "search".to_string(),
+                                "oauth:client:r".to_string(),
+                                "oauth:client:w".to_string(),
                             ],
                         )
                         .await?;

rfd-cli/src/main.rs

@@ -109,7 +109,7 @@ fn cmd_path<'a>(cmd: &CliCommand) -> Option<&'a str> {
         CliCommand::GetSelf => Some("user self"),
 
         // RFD commands
-        CliCommand::GetRfd => Some("get"),
+        CliCommand::GetRfd => Some("view"),
         CliCommand::GetRfds => Some("list"),
         CliCommand::SearchRfds => Some("search"),
 
@@ -133,13 +133,13 @@ fn cmd_path<'a>(cmd: &CliCommand) -> Option<&'a str> {
         CliCommand::DeleteMapper => Some("mapper delete"),
 
         // OAuth client commands
-        CliCommand::ListOauthClients => None,
-        CliCommand::CreateOauthClient => None,
-        CliCommand::GetOauthClient => None,
-        CliCommand::CreateOauthClientRedirectUri => None,
-        CliCommand::DeleteOauthClientRedirectUri => None,
-        CliCommand::CreateOauthClientSecret => None,
-        CliCommand::DeleteOauthClientSecret => None,
+        CliCommand::ListOauthClients => Some("oauth list"),
+        CliCommand::CreateOauthClient => Some("oauth create"),
+        CliCommand::GetOauthClient => Some("oauth get"),
+        CliCommand::CreateOauthClientRedirectUri => Some("oauth redirect create"),
+        CliCommand::DeleteOauthClientRedirectUri => Some("oauth redirect delete"),
+        CliCommand::CreateOauthClientSecret => Some("oauth secret create"),
+        CliCommand::DeleteOauthClientSecret => Some("oauth secret delete"),
 
         // Authentication is handled separately
         CliCommand::ExchangeDeviceToken => None,