cli: add jmp login --force

[bennyz]

In order to force a new login and get token with full lifetime if current one is about to expire

Summary by CodeRabbit

Release Notes

• New Features
  • Added --force flag to the login command enabling on-demand credential refresh.
  • Updated credential refresh guidance to direct users to jmp login --force when credentials expire or are expiring soon.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[netlify]

✅ Deploy Preview for jumpstarter-docs ready!

Name	Link
🔨 Latest commit	8ac7256
🔍 Latest deploy log	https://app.netlify.com/projects/jumpstarter-docs/deploys/6966789f3afc270008223a6d
😎 Deploy Preview	https://deploy-preview-797--jumpstarter-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a --force flag to the login command that triggers credential refresh by passing a "login" prompt parameter to the OIDC authorization flow. Updates user guidance messages to instruct users to use this flag when credentials expire or are expiring soon.

Changes

Cohort / File(s)	Summary
OIDC Authorization Enhancement packages/jumpstarter-cli-common/jumpstarter_cli_common/oidc.py	Added optional prompt parameter to authorization_code_grant method; conditionally includes prompt in OAuth2 authorization URL via auth_params dictionary
Login Command Feature packages/jumpstarter-cli/jumpstarter_cli/login.py	Introduced --force flag to login command; passes force boolean through login flow to supply prompt value of "login" when force is true, otherwise None
User Guidance Updates packages/jumpstarter-cli/jumpstarter_cli/auth.py	Updated credential refresh guidance messages to instruct users to run jmp login --force for expired and soon-to-expire tokens

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• jumpstarter-dev/jumpstarter#329: Also modifies OIDC Config implementation in the same file to extend authorization flow capabilities with additional grant types and CLI options.

Suggested reviewers

• mangelajo

Poem

🐰 A force to refresh, a prompt to comply,
Login anew with a flag, oh my!
Credentials renewed, no token despair,
The --force flag hops through the air! 🎫

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: adding a --force flag to the jmp login command. It directly matches the primary objective of enabling forced login to refresh tokens.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

packages/jumpstarter-cli-common/jumpstarter_cli_common/oidc.py (1)

123-128: Consider updating the comment to be more generic.

The comment references "force" but this method only knows about the prompt parameter. A more accurate comment would be:

-        # Add prompt parameter if force requested
+        # Add prompt parameter if provided

This keeps the abstraction clean since authorization_code_grant doesn't need to know about the --force flag semantics.

packages/jumpstarter-cli/jumpstarter_cli/login.py (1)

159-163: Consider adding prompt="login" to relogin_client.

Since relogin_client is specifically for re-authentication scenarios (when tokens are expired), it may benefit from using prompt="login" to ensure a fresh authentication rather than potentially reusing an existing IdP session:

         oidc = Config(issuer=issuer, client_id=client_id)
-        tokens = await oidc.authorization_code_grant()
+        tokens = await oidc.authorization_code_grant(prompt="login")
         config.token = tokens["access_token"]

This would provide consistent behavior with jmp login --force and ensure users get a fresh token with full lifetime.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cea4061 and 8ac7256.

📒 Files selected for processing (3)

• packages/jumpstarter-cli-common/jumpstarter_cli_common/oidc.py
• packages/jumpstarter-cli/jumpstarter_cli/auth.py
• packages/jumpstarter-cli/jumpstarter_cli/login.py

🧰 Additional context used

📓 Path-based instructions (1)

**/*.py

📄 CodeRabbit inference engine (.cursor/rules/project-structure.mdc)

Ruff should be used for code formatting and linting, excluding jumpstarter-protocol package

Files:

• packages/jumpstarter-cli/jumpstarter_cli/auth.py
• packages/jumpstarter-cli-common/jumpstarter_cli_common/oidc.py
• packages/jumpstarter-cli/jumpstarter_cli/login.py

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

• GitHub Check: build
• GitHub Check: pytest-matrix (macos-15, 3.12)
• GitHub Check: pytest-matrix (ubuntu-24.04, 3.13)
• GitHub Check: pytest-matrix (macos-15, 3.13)
• GitHub Check: pytest-matrix (ubuntu-24.04, 3.11)
• GitHub Check: pytest-matrix (ubuntu-24.04, 3.12)
• GitHub Check: pytest-matrix (macos-15, 3.11)
• GitHub Check: e2e
• GitHub Check: Redirect rules - jumpstarter-docs
• GitHub Check: Header rules - jumpstarter-docs
• GitHub Check: Pages changed - jumpstarter-docs

🔇 Additional comments (4)

packages/jumpstarter-cli-common/jumpstarter_cli_common/oidc.py (1)

85-85: LGTM on the signature extension.

The optional prompt parameter follows the OIDC specification and integrates cleanly with the existing method signature.

packages/jumpstarter-cli/jumpstarter_cli/auth.py (1)

22-27: LGTM!

The updated guidance messages are clear and actionable, correctly directing users to use --force for credential refresh in both expired and expiring-soon scenarios.

packages/jumpstarter-cli/jumpstarter_cli/login.py (2)

22-27: LGTM on the --force flag definition.

The flag is well-defined with appropriate defaults and help text.

---

134-135: LGTM!

The prompt="login" is correctly applied only to the authorization code grant flow, which is the appropriate OAuth flow for browser-based re-authentication. Token exchange and password grants don't support/need this parameter.