-
Notifications
You must be signed in to change notification settings - Fork 10.8k
Open
Labels
bugSomething isn't workingSomething isn't workingcoreAnything pertaining to core functionality of the application (opencode server stuff)Anything pertaining to core functionality of the application (opencode server stuff)
Description
Description
When connecting to a provider via the TUI /connect flow, OpenCode does not run the plugin’s auth.methods[].prompts UI before calling authorize(). This prevents plugins from collecting required inputs (e.g., IAM Identity Center Start URL + SSO region) and can lead to the wrong login flow being opened (e.g., AWS Builder ID email page instead of the org’s IAM Identity Center username portal).
By contrast, opencode auth login does run the plugin prompt flow correctly.
Expected behavior
/connect should behave like opencode auth login:
- If an auth method defines
prompts, OpenCode should display them and pass the collectedinputstoauthorize(inputs). - This should happen for both OAuth and API auth methods.
Actual behavior
/connectselects the provider/method and invokesauthorize()with no (or incomplete)inputs.- Plugins that rely on prompts to choose between multiple flows can’t do so.
- In the AWS case, it often opens the AWS Builder ID page (email prompt) because the plugin never receives an IAM Identity Center Start URL /
sso_region.
Why this matters (real example)
For AWS IAM Identity Center device auth, plugins typically need:
start_url(Identity Center Start URL) to send users to the org-specific device pageidc_region(sso_region) for OIDC token exchange
Without prompting, the provider may:
- fall back to a default flow (Builder ID)
- or fail, forcing users to leave the TUI and use
opencode auth loginanyway
Repro steps (provider-agnostic)
- Use any plugin/provider auth method that defines
auth.methods[].prompts(e.g.start_urlandidc_region) and requires those inputs to choose the correct OAuth flow. - Start OpenCode TUI.
- Run
/connectand select that provider/method. - Observe that OpenCode does not show the plugin’s prompts and calls
authorize()without the requiredinputs, causing the provider to:- open the wrong login page (common with AWS Builder ID vs IAM Identity Center), or
- fail and require a separate login flow outside
/connect.
- Run
opencode auth loginfor the same provider/method. - Observe that OpenCode does show the prompts and passes
inputstoauthorize(inputs)as expected.
Proposed fix
In the /connect flow, if the selected auth method includes prompts:
- Render those prompts in the TUI
- Collect
inputs - Call
authorize(inputs)(orauthorizefor API methods)
Workarounds
- Use
opencode auth logininstead of/connect - Or preconfigure provider-specific defaults in config files/env vars (not always possible / not discoverable)
Environment
- OpenCode version:
1.2.10(adjust if different) - OS: Linux (adjust if different)
- Example impacted scenario: AWS IAM Identity Center device auth (Start URL + SSO region prompts)
Plugins
No response
OpenCode version
1.2.10
Steps to reproduce
No response
Screenshot and/or share link
No response
Operating System
No response
Terminal
No response
Reactions are currently unavailable
Metadata
Metadata
Assignees
Labels
bugSomething isn't workingSomething isn't workingcoreAnything pertaining to core functionality of the application (opencode server stuff)Anything pertaining to core functionality of the application (opencode server stuff)