feat: allow setting redirect URI port for OAuth flow

yashhzd · yashhzd · commit 620f10d63182 · 2026-02-13T18:30:19.000+05:30
Adds a `redirect_port` parameter to `Issuer.identity_token()` that allows callers to specify a fixed port for the local OAuth redirect server. This is needed for enterprise OIDC providers that require pre-registered redirect URIs and don't allow wildcard localhost ports. The default remains `0` (ephemeral port), preserving backward compatibility. Fixes #1029 Signed-off-by: Yash Goel <yashgoel892@gmail.com>
diff --git a/sigstore/_internal/oidc/oauth.py b/sigstore/_internal/oidc/oauth.py
@@ -87,9 +87,9 @@
       </div>
       <div class="anchor">
         <div class="links">
-          <a href="https://sigstore.dev/" class="link login"><span class="sigstore">sigstore</span> home <span class="arrow">→</span></a>
-          <a href="https://docs.sigstore.dev/" class="link login"><span class="sigstore">sigstore</span> documentation <span class="arrow">→</span></a>
-          <a href="https://blog.sigstore.dev/" class="link"><span class="sigstore">sigstore</span> blog <span class="arrow">→</span></a>
+          <a href="https://sigstore.dev/" class="link login"><span class="sigstore">sigstore</span> home <span class="arrow">&rarr;</span></a>
+          <a href="https://docs.sigstore.dev/" class="link login"><span class="sigstore">sigstore</span> documentation <span class="arrow">&rarr;</span></a>
+          <a href="https://blog.sigstore.dev/" class="link"><span class="sigstore">sigstore</span> blog <span class="arrow">&rarr;</span></a>
         </div>
       </div>
     </div>
@@ -102,12 +102,18 @@
 
 
 class _OAuthFlow:
-    def __init__(self, client_id: str, client_secret: str, issuer: Issuer):
+    def __init__(
+        self,
+        client_id: str,
+        client_secret: str,
+        issuer: Issuer,
+        redirect_port: int = 0,
+    ):
         self._client_id = client_id
         self._client_secret = client_secret
         self._issuer = issuer
         self._server = _OAuthRedirectServer(
-            self._client_id, self._client_secret, self._issuer
+            self._client_id, self._client_secret, self._issuer, port=redirect_port
         )
         self._server_thread = threading.Thread(
             target=lambda server: server.serve_forever(),
@@ -223,8 +229,14 @@ def _auth_params(self, redirect_uri: str) -> dict[str, Any]:
 
 
 class _OAuthRedirectServer(http.server.HTTPServer):
-    def __init__(self, client_id: str, client_secret: str, issuer: Issuer) -> None:
-        super().__init__(("localhost", 0), _OAuthRedirectHandler)
+    def __init__(
+        self,
+        client_id: str,
+        client_secret: str,
+        issuer: Issuer,
+        port: int = 0,
+    ) -> None:
+        super().__init__(("localhost", port), _OAuthRedirectHandler)
         self.oauth_session = _OAuthSession(client_id, client_secret, issuer)
         self.auth_response: dict[str, list[str]] | None = None
         self._is_out_of_band = False
diff --git a/sigstore/oidc.py b/sigstore/oidc.py
@@ -274,6 +274,7 @@ def identity_token(  # nosec: B107
         client_id: str = _DEFAULT_CLIENT_ID,
         client_secret: str = "",
         force_oob: bool = False,
+        redirect_port: int = 0,
     ) -> IdentityToken:
         """
         Retrieves and returns an `IdentityToken` from the current `Issuer`, via OAuth.
@@ -283,6 +284,11 @@ def identity_token(  # nosec: B107
         The `force_oob` flag controls the kind of flow performed. When `False` (the default),
         this function attempts to open the user's web browser before falling back to
         an out-of-band flow. When `True`, the out-of-band flow is always used.
+
+        The `redirect_port` parameter controls the port used for the local redirect server
+        during the OAuth flow. When `0` (the default), an ephemeral port is chosen by the OS.
+        Set this to a specific port number when your OIDC provider requires a pre-registered
+        redirect URI with a fixed port.
         """
 
         # This function and the components that it relies on are based off of:
@@ -291,7 +297,9 @@ def identity_token(  # nosec: B107
         from sigstore._internal.oidc.oauth import _OAuthFlow
 
         code: str
-        with _OAuthFlow(client_id, client_secret, self) as server:
+        with _OAuthFlow(
+            client_id, client_secret, self, redirect_port=redirect_port
+        ) as server:
             # Launch web browser
             if not force_oob and webbrowser.open(server.base_uri):
                 print("Waiting for browser interaction...", file=sys.stderr)
