I second the recommendation to use the device flow for this kind of
system. The commandline client would print out a text string for the
user to enter into their browser elsewhere.
If you can pop up a system browser then it's even easier and you can
just use the auth code flow, but it's a lot to assume that a commandline
app can have that kind of capability available to it. Printing out a
string? That's easy and universal. That's why I say go with the device flow.
The thing is, at the end of the day, you need the user to authenticate
to the AS if you're going to get delegated access from them. That's
really the whole point of the OAuth protocol, after all. So you can
either do that in a local browser of some kind (like popping a system
browser), on another device (with the device flow), or you can be evil
and use the username/password grant and just steal the user's
credentials yourself. If it's not clear, I don't recommend that,
basically ever.
-- Justin
On 6/11/2017 11:58 PM, Aaron Parecki wrote:
I've seen this done a few ways:
* The Device Flow:
https://tools.ietf.org/html/draft-ietf-oauth-device-flow which is what
you see on browserless devices like the Apple TV logging in to a cable
provider from your phone. A short code is generated and displayed on
the screen, you launch a browser on your phone and enter the code.
This would work just as well from the command line on the same device.
* I've also seen apps use the authorization flow, by displaying the
authorization URL on the command line prompt and instructing the user
to open it in a browser. The redirect URI is a hosted web page that
displays the authorization code and instructs the user to paste it
back at the terminal.
* The command line app can launch an HTTP server on localhost and use
that as the redirect URL for the authorization code flow. This option
ends up being the most seamless since it works like a traditional flow
without any special instructions to the user.
----
Aaron Parecki
aaronparecki.com <http://aaronparecki.com>
@aaronpk <http://twitter.com/aaronpk>
On Sun, Jun 11, 2017 at 8:52 PM, Bill Burke <bbu...@redhat.com
<mailto:bbu...@redhat.com>> wrote:
Has anybody done any spec work around doing oauth from command
line interfaces? We're looking for something where the auth
server can generate text-based challenges that are rendered in the
console window that query for simple text input over possibly
multiple requests. I'm not talking about Resource Owner or Client
Credentials grant. The command line client may not know the
credential types required for a successful token request. It would
be easy to write a simple protocol, but I'd rather just do
something around any existing internet draft or rfc that somebody
has put some thought into. Hope I'm making sense here.
Thanks,
Bill Burke
Red Hat
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
<https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
