CLI: support multiple redirect URIs per client #29

New issue

Closed

opened 2026-05-25 14:19:00 +00:00 by navicore · 1 comment

navicore commented

2026-05-25 14:19:00 +00:00

Owner

Background

anz client add --redirect-uri <uri> takes a single value, but the clients.redirect_uris column is stored as a JSON array — the schema clearly anticipates multiple per client.

Real-world SPA workflows almost always need at least two URIs on the same client_id:

Production redirect (https://app.example.com/callback)
Local dev redirect (http://localhost:5173/callback)

Today there's no way to register both without editing the database directly.

Encountered

Came up during the navinote integration. Worked around it by only registering the prod redirect for navinote-pwa, but it means I can't vite dev against the deployed anz without a second client_id.

Proposed

Either:

Accept repeated --redirect-uri flags on anz client add (clap's ArgAction::Append).
Add anz client add-redirect-uri --client-id <id> --uri <uri> / anz client remove-redirect-uri ... subcommands.

Option 1 is simpler; option 2 is more flexible (lets you change URIs without recreating the client). Either works.

Acceptance

Can register a single client with N redirect URIs via the CLI alone.
All registered URIs are accepted at /realms/{realm}/authorize; unregistered ones still rejected.
anz client list shows all URIs for each client.

## Background `anz client add --redirect-uri <uri>` takes a single value, but the `clients.redirect_uris` column is stored as a JSON array — the schema clearly anticipates multiple per client. Real-world SPA workflows almost always need at least two URIs on the same `client_id`: - Production redirect (`https://app.example.com/callback`) - Local dev redirect (`http://localhost:5173/callback`) Today there's no way to register both without editing the database directly. ## Encountered Came up during the navinote integration. Worked around it by only registering the prod redirect for `navinote-pwa`, but it means I can't `vite dev` against the deployed anz without a second client_id. ## Proposed Either: 1. Accept repeated `--redirect-uri` flags on `anz client add` (clap's `ArgAction::Append`). 2. Add `anz client add-redirect-uri --client-id <id> --uri <uri>` / `anz client remove-redirect-uri ...` subcommands. Option 1 is simpler; option 2 is more flexible (lets you change URIs without recreating the client). Either works. ## Acceptance - Can register a single client with N redirect URIs via the CLI alone. - All registered URIs are accepted at `/realms/{realm}/authorize`; unregistered ones still rejected. - `anz client list` shows all URIs for each client.

navicore added the

enhancement

label

2026-05-25 14:26:48 +00:00

navicore self-assigned this

2026-05-25 14:26:49 +00:00

navicore referenced this issue from a commit

2026-05-25 14:47:38 +00:00

● The design is implemented and verified. just ci passes — fmt, clippy (warnings-as-errors), 109 tests, release

navicore referenced this issue

2026-05-25 14:47:46 +00:00

● The design is implemented and verified. just ci passes — fmt, clippy (warnings-as-errors), 109 tests, release #32