add a login banner to CLI-based login prompts which shows the IDP name

Skip showing the banner when the CLI does not know the IDP name
from the CLI args (which are typically encoded in the kubeconfig).

Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>

pkg/oidcclient/login.go

@@ -513,6 +513,10 @@ func (h *handlerState) cliBasedAuth(authorizeOptions *[]oauth2.AuthCodeOption) (
 func (h *handlerState) getUsernameAndPassword() (string, string, error) {
 	var err error
 
+	if h.upstreamIdentityProviderName != "" {
+		_, _ = fmt.Fprintf(h.out, "\nLog in to %s\n\n", h.upstreamIdentityProviderName)
+	}
+
 	username := h.getEnv(defaultUsernameEnvVarName)
 	if username == "" {
 		username, err = h.promptForValue(h.ctx, usernamePrompt, h.out)

pkg/oidcclient/login_test.go

@@ -1082,6 +1082,7 @@ func TestLogin(t *testing.T) { //nolint:gocyclo
 			},
 			issuer:     successServer.URL,
 			wantLogs:   []string{"\"level\"=4 \"msg\"=\"Pinniped: Performing OIDC discovery\"  \"issuer\"=\"" + successServer.URL + "\""},
+			wantStdErr: "^\nLog in to some-upstream-name\n\n$",
 			wantErr:    "error prompting for username: some prompt error",
 		},
 		{
@@ -1096,6 +1097,7 @@ func TestLogin(t *testing.T) { //nolint:gocyclo
 			},
 			issuer:     successServer.URL,
 			wantLogs:   []string{"\"level\"=4 \"msg\"=\"Pinniped: Performing OIDC discovery\"  \"issuer\"=\"" + successServer.URL + "\""},
+			wantStdErr: "^\nLog in to some-upstream-name\n\n$",
 			wantErr:    "error prompting for password: some prompt error",
 		},
 		{
@@ -1151,6 +1153,7 @@ func TestLogin(t *testing.T) { //nolint:gocyclo
 			},
 			issuer:     successServer.URL,
 			wantLogs:   []string{"\"level\"=4 \"msg\"=\"Pinniped: Performing OIDC discovery\"  \"issuer\"=\"" + successServer.URL + "\""},
+			wantStdErr: "^\nLog in to some-upstream-name\n\n$",
 			wantErr: `authorization response error: Get "https://` + successServer.Listener.Addr().String() +
 				`/authorize?access_type=offline&client_id=test-client-id&code_challenge=` + testCodeChallenge +
 				`&code_challenge_method=S256&nonce=test-nonce&pinniped_idp_name=some-upstream-name&` +
@@ -1167,6 +1170,7 @@ func TestLogin(t *testing.T) { //nolint:gocyclo
 			},
 			issuer:     successServer.URL,
 			wantLogs:   []string{"\"level\"=4 \"msg\"=\"Pinniped: Performing OIDC discovery\"  \"issuer\"=\"" + successServer.URL + "\""},
+			wantStdErr: "^\nLog in to some-upstream-name\n\n$",
 			wantErr:    `error getting authorization: expected to be redirected, but response status was 502 Bad Gateway`,
 		},
 		{
@@ -1184,6 +1188,7 @@ func TestLogin(t *testing.T) { //nolint:gocyclo
 			},
 			issuer:     successServer.URL,
 			wantLogs:   []string{"\"level\"=4 \"msg\"=\"Pinniped: Performing OIDC discovery\"  \"issuer\"=\"" + successServer.URL + "\""},
+			wantStdErr: "^\nLog in to some-upstream-name\n\n$",
 			wantErr:    `login failed with code "access_denied": optional-error-description`,
 		},
 		{
@@ -1201,6 +1206,7 @@ func TestLogin(t *testing.T) { //nolint:gocyclo
 			},
 			issuer:     successServer.URL,
 			wantLogs:   []string{"\"level\"=4 \"msg\"=\"Pinniped: Performing OIDC discovery\"  \"issuer\"=\"" + successServer.URL + "\""},
+			wantStdErr: "^\nLog in to some-upstream-name\n\n$",
 			wantErr:    `error getting authorization: redirected to the wrong location: http://other-server.example.com/callback?code=foo&state=test-state`,
 		},
 		{
@@ -1218,6 +1224,7 @@ func TestLogin(t *testing.T) { //nolint:gocyclo
 			},
 			issuer:     successServer.URL,
 			wantLogs:   []string{"\"level\"=4 \"msg\"=\"Pinniped: Performing OIDC discovery\"  \"issuer\"=\"" + successServer.URL + "\""},
+			wantStdErr: "^\nLog in to some-upstream-name\n\n$",
 			wantErr:    `login failed with code "access_denied"`,
 		},
 		{
@@ -1233,6 +1240,7 @@ func TestLogin(t *testing.T) { //nolint:gocyclo
 			},
 			issuer:     successServer.URL,
 			wantLogs:   []string{"\"level\"=4 \"msg\"=\"Pinniped: Performing OIDC discovery\"  \"issuer\"=\"" + successServer.URL + "\""},
+			wantStdErr: "^\nLog in to some-upstream-name\n\n$",
 			wantErr:    `missing or invalid state parameter in authorization response: http://127.0.0.1:0/callback?code=foo&state=wrong-state`,
 		},
 		{
@@ -1260,6 +1268,7 @@ func TestLogin(t *testing.T) { //nolint:gocyclo
 			},
 			issuer:     successServer.URL,
 			wantLogs:   []string{"\"level\"=4 \"msg\"=\"Pinniped: Performing OIDC discovery\"  \"issuer\"=\"" + successServer.URL + "\""},
+			wantStdErr: "^\nLog in to some-upstream-name\n\n$",
 			wantErr:    "could not complete authorization code exchange: some authcode exchange or token validation error",
 		},
 		{
@@ -1358,6 +1367,7 @@ func TestLogin(t *testing.T) { //nolint:gocyclo
 			},
 			issuer:     successServer.URL,
 			wantLogs:   []string{"\"level\"=4 \"msg\"=\"Pinniped: Performing OIDC discovery\"  \"issuer\"=\"" + successServer.URL + "\""},
+			wantStdErr: "^\nLog in to some-upstream-name\n\n$",
 			wantToken:  &testToken,
 		},
 		{
@@ -1572,6 +1582,7 @@ func TestLogin(t *testing.T) { //nolint:gocyclo
 				"\"level\"=4 \"msg\"=\"Pinniped: Read username from environment variable\"  \"name\"=\"PINNIPED_USERNAME\"",
 				"\"level\"=4 \"msg\"=\"Pinniped: Read password from environment variable\"  \"name\"=\"PINNIPED_PASSWORD\"",
 			},
+			wantStdErr: "^\nLog in to some-upstream-name\n\n$",
 			wantToken:  &testToken,
 		},
 		{