Skip to content

Support --port and --no-browser flags for gws auth login on remote/headless machines #210

New issue
New issue
Closed as not planned
Closed as not planned
Support --port and --no-browser flags for gws auth login on remote/headless machines#210
Labels
area: auth
@br3nd4nn34l

Description

@br3nd4nn34l
br3nd4nn34l
opened on Mar 5, 2026

Problem

gws auth login starts a local HTTP server on a random port for the OAuth callback. This works great on local machines, but on remote dev servers (SSH), localhost in the browser doesn't reach the remote machine. The current workaround is:

  1. Run gws auth login and note the random port in the redirect URL
  2. Open a second terminal and set up SSH port forwarding (ssh -L <port>:localhost:<port> host)
  3. Open the auth URL in the browser

The port changes every run, so this can't be pre-configured. It's the biggest friction point in setting up gws on a remote machine.

Proposed solution

The underlying yup_oauth2 library already supports two alternatives to the random-port flow via InstalledFlowReturnMethod:

pub enum InstalledFlowReturnMethod {
    Interactive,           // copy-paste code, no HTTP server
    HTTPRedirect,          // random port (current behavior)
    HTTPPortRedirect(u16), // fixed port
}

1. --port PORT flag

Use HTTPPortRedirect(port) instead of HTTPRedirect when specified. This lets users pre-configure a fixed SSH tunnel (e.g. in ~/.ssh/config) and never think about ports again.

gws auth login --account user@example.com --port 34899
# ~/.ssh/config — one-time setup
Host devbox
  LocalForward 34899 localhost:34899

2. --no-browser flag

Use InstalledFlowReturnMethod::Interactive, which displays a URL, the user opens it manually, and pastes the authorization code back into the terminal. No HTTP server, no port forwarding needed at all. This is the same pattern gcloud auth login --no-launch-browser uses.

gws auth login --account user@example.com --no-browser

Scope

Both changes are small — the flag parsing and flow-method selection in auth_commands.rs, roughly:

let method = if let Some(port) = port_flag {
    yup_oauth2::InstalledFlowReturnMethod::HTTPPortRedirect(port)
} else if no_browser {
    yup_oauth2::InstalledFlowReturnMethod::Interactive
} else {
    yup_oauth2::InstalledFlowReturnMethod::HTTPRedirect
};

Environment

  • Remote Linux devbox (Debian 11) accessed via SSH
  • gws v0.5.0 built from source with Cargo

Metadata

Metadata

Assignees

No one assigned

    Labels

    area: auth

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions