Is your feature request related to a problem?
Browser-based login (phase auth --mode webauth) starts a local HTTP callback server on a random port. In src/cmd/auth_webauth.go:
port := 8002 + rand.Intn(12001) // line 59
listener, err := net.Listen("tcp", fmt.Sprintf(":%d", port)) // line 100
The port is chosen fresh on every run (roughly 8002-20002) and there is no way to override it. This breaks webauth inside containers: Docker port publishing (-p) requires the port to be known ahead of time, so an unpredictable port cannot be mapped. Today the only workaround is --network=host, which is Linux-only and does not behave the same on Docker Desktop (macOS/Windows).
Describe the solution you'd like
Add a --webauth-port flag to the auth command (webauth mode) that pins the callback server to a caller-specified port instead of a random one. For example:
phase auth --mode webauth --webauth-port 8002
The chosen port would be used both for net.Listen and in the port field of the base64 webauth payload sent to the browser, so the Console redirects back to the same fixed port. With a known port, a container can publish it normally:
docker run -p 8002:8002 ... phase auth --mode webauth --webauth-port 8002
Behavior when the flag is omitted stays exactly as it is today (random port), so this is fully backward compatible.
Describe alternatives you've considered
--network=host: the current workaround. Linux-only, broader network exposure than needed, and inconsistent on Docker Desktop.
- A
PHASE_WEBAUTH_PORT environment variable instead of (or in addition to) a flag - may be more ergonomic for container setups where flags are awkward.
- Token-based auth (
phase auth --mode token) avoids the callback server entirely, but loses the convenience of the browser flow.
Additional context
- Relevant code:
src/cmd/auth_webauth.go (port selection at line 59, listener at line 100, payload struct webAuthPayload.Port).
Is your feature request related to a problem?
Browser-based login (
phase auth --mode webauth) starts a local HTTP callback server on a random port. Insrc/cmd/auth_webauth.go:The port is chosen fresh on every run (roughly 8002-20002) and there is no way to override it. This breaks webauth inside containers: Docker port publishing (
-p) requires the port to be known ahead of time, so an unpredictable port cannot be mapped. Today the only workaround is--network=host, which is Linux-only and does not behave the same on Docker Desktop (macOS/Windows).Describe the solution you'd like
Add a
--webauth-portflag to theauthcommand (webauth mode) that pins the callback server to a caller-specified port instead of a random one. For example:The chosen port would be used both for
net.Listenand in theportfield of the base64 webauth payload sent to the browser, so the Console redirects back to the same fixed port. With a known port, a container can publish it normally:Behavior when the flag is omitted stays exactly as it is today (random port), so this is fully backward compatible.
Describe alternatives you've considered
--network=host: the current workaround. Linux-only, broader network exposure than needed, and inconsistent on Docker Desktop.PHASE_WEBAUTH_PORTenvironment variable instead of (or in addition to) a flag - may be more ergonomic for container setups where flags are awkward.phase auth --mode token) avoids the callback server entirely, but loses the convenience of the browser flow.Additional context
src/cmd/auth_webauth.go(port selection at line 59, listener at line 100, payload structwebAuthPayload.Port).