Use 202 for token polling endpoint instead of 204 (#1103)

internal/cmd/commands/authenticate/oidc.go

@@ -134,7 +134,7 @@ func (c *OidcCommand) Run(args []string) int {
 					watchCode = base.CommandCliError
 					return
 				}
-				if result.GetResponse().StatusCode() == http.StatusNoContent {
+				if result.GetResponse().StatusCode() == http.StatusAccepted {
 					// Nothing yet -- circle around.
 					continue
 				}

internal/gen/controller/api/resources/authmethods/auth_method.pb.go

@@ -671,6 +671,57 @@ func (x *OidcAuthMethodAuthenticateTokenRequest) GetTokenId() string {
 	return ""
 }
 
+// Internal only: the structure of a token response if it _does not_ contain a
+// token.
+type OidcAuthMethodAuthenticateTokenResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// The status. This will always be "unknown". It will never be forwarded to
+	// the consumer.
+	Status string `protobuf:"bytes,10,opt,name=status,proto3" json:"status,omitempty"`
+}
+
+func (x *OidcAuthMethodAuthenticateTokenResponse) Reset() {
+	*x = OidcAuthMethodAuthenticateTokenResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_controller_api_resources_authmethods_v1_auth_method_proto_msgTypes[7]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *OidcAuthMethodAuthenticateTokenResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*OidcAuthMethodAuthenticateTokenResponse) ProtoMessage() {}
+
+func (x *OidcAuthMethodAuthenticateTokenResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_controller_api_resources_authmethods_v1_auth_method_proto_msgTypes[7]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use OidcAuthMethodAuthenticateTokenResponse.ProtoReflect.Descriptor instead.
+func (*OidcAuthMethodAuthenticateTokenResponse) Descriptor() ([]byte, []int) {
+	return file_controller_api_resources_authmethods_v1_auth_method_proto_rawDescGZIP(), []int{7}
+}
+
+func (x *OidcAuthMethodAuthenticateTokenResponse) GetStatus() string {
+	if x != nil {
+		return x.Status
+	}
+	return ""
+}
+
 var File_controller_api_resources_authmethods_v1_auth_method_proto protoreflect.FileDescriptor
 
 var file_controller_api_resources_authmethods_v1_auth_method_proto_rawDesc = []byte{
@@ -859,14 +910,18 @@ var file_controller_api_resources_authmethods_v1_auth_method_proto_rawDesc = []b
 	0x41, 0x75, 0x74, 0x68, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e,
 	0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65,
 	0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x0a,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x5f, 0x69, 0x64, 0x42, 0x5d,
-	0x5a, 0x5b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73,
-	0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x61, 0x72, 0x79, 0x2f,
-	0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x63, 0x6f, 0x6e,
-	0x74, 0x72, 0x6f, 0x6c, 0x6c, 0x65, 0x72, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x72, 0x65, 0x73, 0x6f,
-	0x75, 0x72, 0x63, 0x65, 0x73, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64,
-	0x73, 0x3b, 0x61, 0x75, 0x74, 0x68, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x73, 0x62, 0x06, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x5f, 0x69, 0x64, 0x22, 0x41,
+	0x0a, 0x27, 0x4f, 0x69, 0x64, 0x63, 0x41, 0x75, 0x74, 0x68, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64,
+	0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x54, 0x6f, 0x6b, 0x65,
+	0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61,
+	0x74, 0x75, 0x73, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75,
+	0x73, 0x42, 0x5d, 0x5a, 0x5b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
+	0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x61,
+	0x72, 0x79, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x67, 0x65, 0x6e, 0x2f,
+	0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x6c, 0x65, 0x72, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x72,
+	0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x6d, 0x65, 0x74,
+	0x68, 0x6f, 0x64, 0x73, 0x3b, 0x61, 0x75, 0x74, 0x68, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x73,
+	0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -881,7 +936,7 @@ func file_controller_api_resources_authmethods_v1_auth_method_proto_rawDescGZIP(
 	return file_controller_api_resources_authmethods_v1_auth_method_proto_rawDescData
 }
 
-var file_controller_api_resources_authmethods_v1_auth_method_proto_msgTypes = make([]protoimpl.MessageInfo, 8)
+var file_controller_api_resources_authmethods_v1_auth_method_proto_msgTypes = make([]protoimpl.MessageInfo, 9)
 var file_controller_api_resources_authmethods_v1_auth_method_proto_goTypes = []interface{}{
 	(*AuthMethod)(nil),                                 // 0: controller.api.resources.authmethods.v1.AuthMethod
 	(*PasswordAuthMethodAttributes)(nil),               // 1: controller.api.resources.authmethods.v1.PasswordAuthMethodAttributes
@@ -890,28 +945,29 @@ var file_controller_api_resources_authmethods_v1_auth_method_proto_goTypes = []i
 	(*OidcAuthMethodAuthenticateCallbackRequest)(nil),  // 4: controller.api.resources.authmethods.v1.OidcAuthMethodAuthenticateCallbackRequest
 	(*OidcAuthMethodAuthenticateCallbackResponse)(nil), // 5: controller.api.resources.authmethods.v1.OidcAuthMethodAuthenticateCallbackResponse
 	(*OidcAuthMethodAuthenticateTokenRequest)(nil),     // 6: controller.api.resources.authmethods.v1.OidcAuthMethodAuthenticateTokenRequest
-	nil,                          // 7: controller.api.resources.authmethods.v1.AuthMethod.AuthorizedCollectionActionsEntry
-	(*scopes.ScopeInfo)(nil),     // 8: controller.api.resources.scopes.v1.ScopeInfo
-	(*wrappers.StringValue)(nil), // 9: google.protobuf.StringValue
-	(*timestamp.Timestamp)(nil),  // 10: google.protobuf.Timestamp
-	(*_struct.Struct)(nil),       // 11: google.protobuf.Struct
-	(*wrappers.UInt32Value)(nil), // 12: google.protobuf.UInt32Value
-	(*_struct.ListValue)(nil),    // 13: google.protobuf.ListValue
+	(*OidcAuthMethodAuthenticateTokenResponse)(nil),    // 7: controller.api.resources.authmethods.v1.OidcAuthMethodAuthenticateTokenResponse
+	nil,                          // 8: controller.api.resources.authmethods.v1.AuthMethod.AuthorizedCollectionActionsEntry
+	(*scopes.ScopeInfo)(nil),     // 9: controller.api.resources.scopes.v1.ScopeInfo
+	(*wrappers.StringValue)(nil), // 10: google.protobuf.StringValue
+	(*timestamp.Timestamp)(nil),  // 11: google.protobuf.Timestamp
+	(*_struct.Struct)(nil),       // 12: google.protobuf.Struct
+	(*wrappers.UInt32Value)(nil), // 13: google.protobuf.UInt32Value
+	(*_struct.ListValue)(nil),    // 14: google.protobuf.ListValue
 }
 var file_controller_api_resources_authmethods_v1_auth_method_proto_depIdxs = []int32{
-	8,  // 0: controller.api.resources.authmethods.v1.AuthMethod.scope:type_name -> controller.api.resources.scopes.v1.ScopeInfo
-	9,  // 1: controller.api.resources.authmethods.v1.AuthMethod.name:type_name -> google.protobuf.StringValue
-	9,  // 2: controller.api.resources.authmethods.v1.AuthMethod.description:type_name -> google.protobuf.StringValue
-	10, // 3: controller.api.resources.authmethods.v1.AuthMethod.created_time:type_name -> google.protobuf.Timestamp
-	10, // 4: controller.api.resources.authmethods.v1.AuthMethod.updated_time:type_name -> google.protobuf.Timestamp
-	11, // 5: controller.api.resources.authmethods.v1.AuthMethod.attributes:type_name -> google.protobuf.Struct
-	7,  // 6: controller.api.resources.authmethods.v1.AuthMethod.authorized_collection_actions:type_name -> controller.api.resources.authmethods.v1.AuthMethod.AuthorizedCollectionActionsEntry
-	9,  // 7: controller.api.resources.authmethods.v1.OidcAuthMethodAttributes.issuer:type_name -> google.protobuf.StringValue
-	9,  // 8: controller.api.resources.authmethods.v1.OidcAuthMethodAttributes.client_id:type_name -> google.protobuf.StringValue
-	9,  // 9: controller.api.resources.authmethods.v1.OidcAuthMethodAttributes.client_secret:type_name -> google.protobuf.StringValue
-	12, // 10: controller.api.resources.authmethods.v1.OidcAuthMethodAttributes.max_age:type_name -> google.protobuf.UInt32Value
-	9,  // 11: controller.api.resources.authmethods.v1.OidcAuthMethodAttributes.api_url_prefix:type_name -> google.protobuf.StringValue
-	13, // 12: controller.api.resources.authmethods.v1.AuthMethod.AuthorizedCollectionActionsEntry.value:type_name -> google.protobuf.ListValue
+	9,  // 0: controller.api.resources.authmethods.v1.AuthMethod.scope:type_name -> controller.api.resources.scopes.v1.ScopeInfo
+	10, // 1: controller.api.resources.authmethods.v1.AuthMethod.name:type_name -> google.protobuf.StringValue
+	10, // 2: controller.api.resources.authmethods.v1.AuthMethod.description:type_name -> google.protobuf.StringValue
+	11, // 3: controller.api.resources.authmethods.v1.AuthMethod.created_time:type_name -> google.protobuf.Timestamp
+	11, // 4: controller.api.resources.authmethods.v1.AuthMethod.updated_time:type_name -> google.protobuf.Timestamp
+	12, // 5: controller.api.resources.authmethods.v1.AuthMethod.attributes:type_name -> google.protobuf.Struct
+	8,  // 6: controller.api.resources.authmethods.v1.AuthMethod.authorized_collection_actions:type_name -> controller.api.resources.authmethods.v1.AuthMethod.AuthorizedCollectionActionsEntry
+	10, // 7: controller.api.resources.authmethods.v1.OidcAuthMethodAttributes.issuer:type_name -> google.protobuf.StringValue
+	10, // 8: controller.api.resources.authmethods.v1.OidcAuthMethodAttributes.client_id:type_name -> google.protobuf.StringValue
+	10, // 9: controller.api.resources.authmethods.v1.OidcAuthMethodAttributes.client_secret:type_name -> google.protobuf.StringValue
+	13, // 10: controller.api.resources.authmethods.v1.OidcAuthMethodAttributes.max_age:type_name -> google.protobuf.UInt32Value
+	10, // 11: controller.api.resources.authmethods.v1.OidcAuthMethodAttributes.api_url_prefix:type_name -> google.protobuf.StringValue
+	14, // 12: controller.api.resources.authmethods.v1.AuthMethod.AuthorizedCollectionActionsEntry.value:type_name -> google.protobuf.ListValue
 	13, // [13:13] is the sub-list for method output_type
 	13, // [13:13] is the sub-list for method input_type
 	13, // [13:13] is the sub-list for extension type_name
@@ -1009,6 +1065,18 @@ func file_controller_api_resources_authmethods_v1_auth_method_proto_init() {
 				return nil
 			}
 		}
+		file_controller_api_resources_authmethods_v1_auth_method_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*OidcAuthMethodAuthenticateTokenResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
 	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
@@ -1016,7 +1084,7 @@ func file_controller_api_resources_authmethods_v1_auth_method_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_controller_api_resources_authmethods_v1_auth_method_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   8,
+			NumMessages:   9,
 			NumExtensions: 0,
 			NumServices:   0,
 		},

internal/proto/local/controller/api/resources/authmethods/v1/auth_method.proto

@@ -165,4 +165,12 @@ message OidcAuthMethodAuthenticateCallbackResponse {
 message OidcAuthMethodAuthenticateTokenRequest {
 	// The ID of the pending token
 	string token_id = 10 [json_name="token_id"];
+}
+
+// Internal only: the structure of a token response if it _does not_ contain a
+// token.
+message OidcAuthMethodAuthenticateTokenResponse {
+	// The status. This will always be "unknown". It will never be forwarded to
+	// the consumer.
+	string status = 10;
 }

internal/servers/controller/handlers/authmethods/oidc.go

@@ -16,6 +16,7 @@ import (
 	"github.com/hashicorp/boundary/internal/servers/controller/handlers"
 	"github.com/hashicorp/boundary/internal/types/action"
 	"google.golang.org/grpc/codes"
+	"google.golang.org/protobuf/types/known/structpb"
 )
 
 const (
@@ -25,7 +26,8 @@ const (
 	tokenCommand    = "token"
 
 	// token request/response fields
-	tokenField = "token"
+	tokenField  = "token"
+	statusField = "status"
 
 	// field names
 	issuerField                            = "attributes.issuer"
@@ -269,7 +271,16 @@ func (s Service) authenticateOidcToken(ctx context.Context, req *pbs.Authenticat
 		}
 	}
 	if token == nil {
-		return nil, nil
+		attrs, err := structpb.NewStruct(map[string]interface{}{
+			statusField: "unknown",
+		})
+		if err != nil {
+			return nil, errors.New(errors.Internal, op, "Error generating response attributes.")
+		}
+		return &pbs.AuthenticateResponse{
+			Command:    req.Command,
+			Attributes: attrs,
+		}, nil
 	}
 
 	responseToken, err := s.convertInternalAuthTokenToApiAuthToken(

internal/servers/controller/handlers/outgoing_interceptor.go

@@ -17,6 +17,7 @@ const (
 	JsVisibleCookieName   = "wt-js-token-cookie"
 	tokenTypeField        = "token_type"
 	finalRedirectUrlField = "final_redirect_url"
+	statusField           = "status"
 )
 
 func OutgoingInterceptor(ctx context.Context, w http.ResponseWriter, m proto.Message) error {
@@ -34,6 +35,15 @@ func OutgoingInterceptor(ctx context.Context, w http.ResponseWriter, m proto.Mes
 			return nil
 		}
 		fields := m.GetAttributes().GetFields()
+		if m.GetCommand() == "token" {
+			if _, ok := fields[statusField]; ok {
+				// For now at least status will never be anything useful so
+				// don't need to check on it; the mere presence is enough to
+				// know what to do
+				w.WriteHeader(http.StatusAccepted)
+				return nil
+			}
+		}
 		// It's a redirect
 		if urlField, ok := fields[finalRedirectUrlField]; ok {
 			u := urlField.GetStringValue()