Skip to content

feat(controlplane): render branded HTML page with copy button for OIDC token#3124

Merged
migmartri merged 2 commits into
chainloop-dev:mainfrom
migmartri:feat/oidc-token-html-page
May 18, 2026
Merged

feat(controlplane): render branded HTML page with copy button for OIDC token#3124
migmartri merged 2 commits into
chainloop-dev:mainfrom
migmartri:feat/oidc-token-html-page

Conversation

@migmartri
Copy link
Copy Markdown
Member

@migmartri migmartri commented May 16, 2026
edited
Loading

Summary

When the OIDC callback flow has no client callback URL (CLI manual login flow), the control plane previously returned a plain-text response containing the JWT. This change replaces it with a self-contained, branded HTML page that:

  • Displays the JWT in a styled <code> block.
  • Provides a Copy Token button backed by the Clipboard API.
  • Adapts to light/dark color schemes.
  • Sets Cache-Control: no-store and Referrer-Policy: no-referrer so the bearer token does not leak via caches or the Referer header.
  • Renders the token in the response body only — never in the URL.
Screenshot 2026-05-16 at 21 30 07

The behavior when a client callback URL is provided is unchanged.

🤖 Assisted-by: Claude Code

@migmartri
feat(controlplane): render branded HTML page with copy button for OID…
a39fe86 
…C token

Replace the plain-text token output with a self-contained HTML page when
the OIDC callback flow has no client callback URL (CLI manual login).
The page shows the JWT in a styled <code> block and provides a Copy Token
button that uses the Clipboard API. Cache-Control: no-store and
Referrer-Policy: no-referrer prevent the bearer token from leaking via
caches or the Referer header. The token stays in the response body and
is never placed in the URL.

Assisted-by: Claude Code
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 16, 2026
View reviewed changes
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Re-trigger cubic

@migmartri
fix(controlplane): copy token fallback for insecure (non-HTTPS) origins
2b3abdd 
navigator.clipboard.writeText only works in a secure context (HTTPS or
localhost), so it fails on plain HTTP deployments. Fall back to a hidden
textarea + document.execCommand('copy') so the Copy Token button works
on insecure origins as well.

Assisted-by: Claude Code
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
@migmartri migmartri requested a review from a team May 16, 2026 19:32
@migmartri migmartri merged commit 7b46b8a into chainloop-dev:main May 18, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@javirln javirln javirln approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@migmartri @javirln