Skip to content

Store CLI authentication tokens in OS keyring with fallback to file storage #19403

New issue
New issue
Open
Feature
Open
Store CLI authentication tokens in OS keyring with fallback to file storage#19403
Feature
Assignees
f0ssel
@blink-so

Description

@blink-so
blink-so
bot
opened on Aug 19, 2025

Feature Request: Secure Token Storage in OS Keyring

Problem

Currently, the Coder CLI stores authentication tokens in plaintext configuration files, which poses a security risk. Users' tokens are stored unencrypted and can be easily accessed by other processes or users with file system access.

Proposed Solution

Implement secure token storage using the OS keyring with graceful fallback to file storage when keyring is unavailable.

Acceptance Criteria

  • CLI should by default store the token in the OS keyring using a library like zalando/go-keyring

    • Keychain on macOS
    • GNOME Keyring on Linux (Secret Service dbus interface)
    • Wincred on Windows

  • CLI should fallback to storing the token in text file if the keyring is not available

    • Maintain backward compatibility
    • Ensure minimal disruption if keyring operations fail
    • Log appropriate warnings when falling back to file storage

  • Address security considerations from GitHub CLI's keyring implementation discussion:

    • Consider the security implications of using zalando/go-keyring which shells out to the security command on macOS
    • On macOS, this grants access to the security binary rather than the specific application, which can weaken the security model
    • Document this limitation and consider future improvements to use native APIs
    • Despite this limitation, keyring storage is still significantly more secure than plaintext files

Implementation Considerations

  1. Library Choice: Use zalando/go-keyring for pure Go implementation without CGO requirements
  2. Migration: Handle existing plaintext tokens gracefully during the transition
  3. Error Handling: Robust fallback mechanism when keyring operations fail
  4. Cross-platform: Ensure consistent behavior across macOS, Linux, and Windows
  5. User Experience: Minimal prompts and clear messaging about keyring access
  6. Testing: Comprehensive tests for both keyring and fallback scenarios

Security Benefits

  • Tokens encrypted at rest using OS-provided security mechanisms
  • Reduced risk of accidental token exposure in config files
  • Better integration with enterprise security policies

References

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

Feature

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    pFad - Phonifier reborn

    Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

    Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


    Alternative Proxies:

    Alternative Proxy

    pFad Proxy

    pFad v3 Proxy

    pFad v4 Proxy