New command group: nextflow auth

[ewels]

This PR introduces a complete authentication system for Seqera Platform with multiple subcommands for managing authentication credentials and configuration.

CleanShot.2025-09-21.at.00.32.54.mp4

Features

New nextflow auth command with subcommands:

• nextflow auth login - Authenticate with Seqera Platform using OAuth2/PKCE flow
• nextflow auth logout - Remove authentication credentials and clear configuration
• nextflow auth status - Show current authentication status and user information
• nextflow auth config - Display current authentication configuration

Auth0 Device Flow Authentication

• Implements Auth0 device flow for secure authentication without requiring a local server
• User-friendly flow: displays a code and opens browser to Auth0 verification URL
• Automatic polling to detect when user completes authentication
• Supports multiple Seqera environments (production, staging, development)
• Personal Access Token (PAT) fallback for enterprise/custom deployments

Usage Examples

# Authenticate with Seqera Cloud (production)
nextflow auth login

# Authenticate with custom endpoint
nextflow auth login -u https://my-enterprise-seqera.com/api

# Check authentication status
nextflow auth status

# View current configuration
nextflow auth config

# Logout and clear credentials
nextflow auth logout

Technical Implementation

Core Components

• CmdAuth: Main command handler with OAuth2 flow implementation
• ColorUtil: ANSI color utility for enhanced terminal output
• Comprehensive test suite: 36 tests covering all functionality

Authentication Flow

1. Prompts for API endpoint (defaults to Seqera Cloud production)
2. For Seqera Cloud: initiates Auth0 device flow
3. Displays user code and opens browser to verification URL
4. Polls Auth0 token endpoint until user completes authentication
5. For enterprise: prompts for Personal Access Token
6. Validates credentials and fetches user information
7. Handles workspace/organization selection
8. Updates Nextflow configuration with new credentials

[netlify]

✅ Deploy Preview for nextflow-docs-staging ready!

Name	Link
🔨 Latest commit	24d0865
🔍 Latest deploy log	https://app.netlify.com/projects/nextflow-docs-staging/deploys/68d05552c5fb4f00087bbbd6
😎 Deploy Preview	https://deploy-preview-6380--nextflow-docs-staging.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[ewels]

Struggling to get the tests to pass. Even master is failing for me locally, whilst passing on GitHub. Not sure what's wrong.

[ewels]

@claude Please review this pull request and provide feedback on:

• Code quality and best practices
• Potential bugs or issues
• Performance considerations
• Security concerns
• Test coverage

Use the repository's CLAUDE.md for guidance on style and conventions. Be constructive and helpful in your feedback.

Use gh pr comment with your Bash tool to leave your review as a comment on the PR.

[claude]

Claude encountered an error —— View job

Failed with exit code 128

---

I'll analyze this and get back to you.

[cursor]

Bug: Colorize Method Incorrectly Applies Bold Formatting

When fullReset is false, the colorize method attempts to reset dim formatting using Attribute.INTENSITY_BOLD. This applies bold formatting instead of returning the text to normal intensity, causing text to appear bold when it should be undimmed.

 

[cursor]

Bug: Incorrect Environment Variable Check in Nextflow Auth

The nextflow auth commands incorrectly check for the TOWER_WORKFLOW_ID environment variable when configuring and displaying the default workspace. This prevents the system from recognizing the intended TOWER_WORKSPACE_ID environment variable for workspace selection.

Additional Locations (1)

• modules/nextflow/src/main/groovy/nextflow/cli/CmdAuth.groovy#L1186-L1187

 

[pditommaso]

Let's start refactoring this as nf-seqera plugin (in the plugins directory, same as nf-tower)

[jorgee]

I get confused a bit on how -url is managed.
In usage examples, it seems the -url is used to support login for enterprise, but inside the code it is also used to decide to use cloud dev, stage or prod.
To manage it, the code has a couple of maps with the api and Auth0 URLs, and Auth0 client Id for all environments hardcoded in the code. There is also a complex sequence to check if the URL is from platform (cloud) or enterprise and if it is enterprise then uses PAT instead of Auth0.

I think it is better to simplify it by -url is for enterprise with PAT and no url is for cloud. Moreover, instead of hardcoding all environments, keep just the production values as default and allow to test in other environments using env variables. In fact, we already have the TOWER_API_ENDPOINT, we just would need to add the ones for auth endpoint and client id.

What do you think about it?

[jorgee]

What happens if there was a previous token already defined in the config. Could it be deleted by mistake?

[ewels]

Yes it will be deleted, by design. Maybe we could add a confirmation prompt?

[ewels]

@jorgee I think that we still need the logic to detect the 3 prod / stage / dev URLs for cloud - it's needed to trigger the logic to try the Auth0 flow rather than just booting people to use a PAT.

If we have that logic in the code, then I don't really see a reason to not also include the key and auth0 URL personally, it's only a handful of extra lines of code. And it'd be a swap for env vars. Given that I don't envision ever needing to test with any other auth0 URLs I'm not really sure it'd be any simpler..?