Server-side Login Protocol

The terraform login command supports performing an OAuth 2.0 authorization request using configuration provided by the target host. You may wish to implement this protocol if you are producing a third-party implementation of any Terraform-native services, such as a Terraform module registry.

First, Terraform uses remote service discovery to find the OAuth configuration for the host. The host must support the service name login.v1 and define for it an object containing OAuth client configuration values, like this:

{
  "login.v1": {
    "client": "terraform-cli",
    "grant_types": ["authz_code"],
    "authz": "/oauth/authorization",
    "token": "/oauth/token",
    "ports": [10000, 10010],
  }
}

The properties within the discovery object are as follows:

When requesting an authorization code grant, Terraform CLI implements the Proof Key for Code Exchange extension in order to protect against other applications on the system intercepting the incoming request to the redirection endpoint. We strongly recommend that you select an OAuth server implementation that also implements this extension and verifies the code challenge sent to the token endpoint.

Terraform CLI does not support OAuth refresh tokens or token expiration. If your server issues time-limited tokens, Terraform CLI will simply begin receiving authorization errors once the token expires, after which the user can run terraform login again to obtain a new token.