Skip to content

Document the faas-cli Device Authorization flow for SSO#431

Open
welteki wants to merge 2 commits into
openfaas:masterfrom
welteki:device-auth-docs
Open

Document the faas-cli Device Authorization flow for SSO#431
welteki wants to merge 2 commits into
openfaas:masterfrom
welteki:device-auth-docs

Conversation

@welteki

@welteki welteki commented Jun 11, 2026

Copy link
Copy Markdown
Member

Description

Document the new Device Authorization flow for logging in with the faas-cli.

Update the provider instructions for Keycloak and Google to document enabling support for the Device Authorization flow.

Rework the generic SSO CLI page to describe the supported OAuth flows more clearly.

Motivation and Context

The faas-cli now supports the Device Authorization flow, so the docs need to describe how to use it and how to enable it on supported IdPs.

  • I have raised an issue to propose this change (required)

How Has This Been Tested?

Reviewed the rendered Markdown locally.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I've read the CONTRIBUTION guide
  • I have signed-off my commits with git commit -s

@welteki
Document the faas-cli Device Authorization flow for SSO
7df7e08 
Document the new Device Authorization flow for logging in with the
faas-cli.

Update the provider instuctions for Keycloak and Google to document
enabling support for the Device Authorization flow.

Rework the generic SSO CLI page to describe the supported OAuth flows
more clearly.

Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>
@reviewfn

This comment has been minimized.

Sign in to view
@welteki
Standardize OAuth terminology to 'Proof Key for Code Exchange'
ff57537 
Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>
@reviewfn

reviewfn Bot commented Jun 11, 2026

Copy link
Copy Markdown

AI Pull Request Overview

Disclaimer: This review was generated by automated AI and may contain errors. Do not trust its outputs without human verification.

Summary

  • Documentation-only PR covering the new faas-cli Device Authorization flow for SSO.
  • Updates the generic CLI SSO page to describe supported OAuth grants and device login behavior.
  • Adds Google-specific setup guidance for separate Web Application and TVs/Limited Input device clients.
  • Adds Keycloak-specific setup guidance for enabling the OAuth 2.0 Device Authorization Grant.
  • Updates the SSO overview to include Device Authorization Grant and clarify callback URL requirements.
  • Adds a Google OAuth application type screenshot used by the updated Google guide.
  • No blocking correctness, reproducibility, or rendering issue was found in the scoped diff.

Approval rating (1-10)

8/10. The changes are useful and coherent; residual risk is mostly around unverified rendered output because the local docs build tool was unavailable.

Summary per file

Summary per file
File path Summary
docs/images/oidc-configuration/google/google-application-type.png Adds screenshot showing Google OAuth application type choices.
docs/openfaas-pro/sso/cli.md Documents supported CLI OAuth grants and Device Authorization usage.
docs/openfaas-pro/sso/google.md Adds Google Device Authorization setup and CLI login instructions.
docs/openfaas-pro/sso/keycloak.md Adds Keycloak Device Authorization configuration and CLI login examples.
docs/openfaas-pro/sso/overview.md Adds Device Authorization to supported CLI flows and callback guidance.

Overall Assessment

The PR is ready from a documentation review perspective. The new pages give readers a clear path for choosing between PKCE, Device Authorization, and legacy implicit flows, and the provider-specific Google and Keycloak instructions align with the generic CLI guidance. The intra-page anchors introduced by the new headings appear consistent with MkDocs heading slugs, and the new Google image matches the step it supports. I could not run mkdocs build --strict in this environment because mkdocs is not installed.

Detailed Review

Detailed Review

Content review

No blocking findings.

The title and scope of each changed page remain aligned: cli.md is a flow reference, while google.md and keycloak.md now explain the provider-specific setup needed before using those flows.

The opening structure is usable for the likely reader. The generic CLI page first lists all supported grants, then expands the two main interactive flows, which helps users decide before copying commands.

The examples are reproducible at the documentation level. Google explicitly calls out the separate TVs and Limited Input devices client for Device Authorization and includes --client-secret; Keycloak calls out the required Device Authorization Grant capability before showing the CLI command.

The rendering risk is low. The new links to #implicit-id-flow, #device-authorization-flow, #configure-google, and #configure-keycloak match the new or existing Markdown headings under MkDocs-style slug generation, and the new image path exists under docs/images/oidc-configuration/google/.

AI agent details.

Agent processing time: 1m57.34s
Environment preparation time: 11.894s
Total time from webhook: 2m17.449s

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@welteki