OAuth Login and Token Refresh Fail with Separate SSH/API Hostnames in glab CLI

Summary

When configuring glab CLI with different hostnames for SSH (e.g. ssh.example.com) and HTTP(S)/API (e.g. example.com), it is not possible to perform the initial/refresh OAuth login for the SSH entry. The only way to proceed is to manually copy all OAuth-related settings from the working (non-SSH) entry into the ssh entry in the plain config file. With this workaround, glab works temporarily, but once the token expires, token refresh fails and normal operation is broken. Glab does not consistently respect the correct API host for GraphQL and OAuth.

Steps to reproduce

  1. Configure glab to use different hostnames for SSH and HTTPS, for example:
    • example.com (for HTTP(s)/API)
    • ssh.example.com (for SSH)
  2. Attempt to run glab auth login for the SSH entry — observe that OAuth login is not possible.
  3. As a workaround, manually copy all OAuth-related settings from the working HTTP entry in the config file to the SSH entry.
  4. Run glab commands — they work while the token is valid.
  5. Once the token expires, observe that token refresh fails and authentication breaks.

What is the current bug behavior?

  • Cannot perform initial OAuth login for SSH hostname configuration.
  • Only way to get things working is to copy settings manually.
  • When the token expires, glab cannot refresh it, resulting in authentication errors.
  • glab appears to sometimes use the SSH host instead of the API host for OAuth/GraphQL.

see

glab auth status                                                                   
example.com
  ✓ Logged in to example.com as UserName (/Users/username/.config/glab-cli/config.yml)
  ✓ Git operations for example.com configured to use https protocol.
  ✓ API calls for example.com are made over https protocol.
  ✓ REST API Endpoint: https://example.com/api/v4/
  ✓ GraphQL Endpoint: https://example.com/api/graphql/
  ✓ Token found: ****...
ssh.example.com
  x ssh.example.com: API call failed: Post "https://ssh.example.com/oauth/token": dial tcp 1.1.1.1:443: i/o timeout
  ✓ Git operations for ssh.example.com configured to use ssh protocol.
  ✓ API calls for ssh.example.com are made over https protocol.
  ✓ REST API Endpoint: https://example.com/api/v4/
  ✓ GraphQL Endpoint: https://ssh.example.com/api/graphql/
  ✓ Token found: ****...

You can see, oauth and graphql is pointing to the ssh hostname ...

related config:

hosts:
    example.com:
        client_id: xy...
        is_oauth2: "true"
        oauth2_refresh_token: ab...
        oauth2_expiry_date: 01 Dec 25 10:59 CET
        token: dc....
        oauth2_code_verifier: ""
        api_host: example.com
        git_protocol: https
        api_protocol: https
        user: UserName
    ssh.example.com:
        api_host: example.com
        api_protocol: https
        git_protocol: ssh
        client_id: xy...
        is_oauth2: "true"
        oauth2_refresh_token: ab...
        oauth2_expiry_date: 01 Dec 25 10:59 CET
        token: dc....
        oauth2_code_verifier: ""
        user: UserName

What is the expected correct behavior?

  • glab should allow OAuth login even when using different hostnames for SSH and HTTP(s).
  • The CLI should always use the configured API host for all REST, GraphQL, and OAuth flows, regardless of SSH configuration.
  • Token refresh should work seamlessly.