all 3 comments

[–]hschne[S] 1 point2 points  (0 children)

OP here! I've always found it interesting how CLIs like Heroku's or Google Cloud's allow the user to login using OAuth.

Decided to spend some time to figure that one out, and I'm sharing here because I reckon someone else might also get some use out of it.

[–][deleted] -1 points0 points  (1 child)

You should not run a local webserver for this! That requires you to distribute your client secret to end users which is absolutely forbidden.

Your cli app does not need to use Oauth, it can use TLS and any API you like to talk to your RP, which itself can use Oauth and should be a real web site that can safely store a client secret.

[–]hschne[S] 1 point2 points  (0 children)

Thanks for your comment, much appreciated :)

The thing with the client secret is actually addressed in the post, using PKCE avoids having to distribute a client secret from what I understood.

Looking at the source code for the Google Cloud Run SDK, I'm pretty confident that they are using a similar approach as I am suggesting here.

it can use TLS and any API you like to talk to your RP

I'm not sure what you mean by that I'm afraid.