OAuth device flow
hickford opened this issue · 3 comments
OAuth 2.0 Device Authorization Grant https://www.rfc-editor.org/rfc/rfc8628
Necessary for headless systems
Blocked by library supprt golang/oauth2#418 (Go proposal golang/go#58126)
Workaround: use Git Credential Manager https://github.com/GitCredentialManager/git-credential-manager
We need this for BitBucket, as we'll intend to use this one some systems where it's all CLI access via SSH, with no local browser.
It looks like even though BitBucket doesn't support a device flow, we could emulate it by using an implicit grant:
Implicit grant
Useful for browser-based operations without server-side back end support. This grant type requests authorization from the user by directing their browser to:
https://bitbucket.org/site/oauth2/authorize?client_id={key}&response_type=tokenThat will redirect to the callback URL with a fragment containing the access token (#access_token={token}&token_type=bearer) where your page's JavaScript can pull it out of the URL.
and possibly host a static page (on GitHub Pages?) that takes the access token & displays it on screen, similar to the device grant flow from Google / GitHub, for copy/paste entry via SSH.
I may fork & implement this - any thoughts before I do?
I realised afterwards that the OAuth2 device flow was quite a bit different to what we'd have to implement for this kind of interaction to work on BitBucket, so sorry for the initial confusion.
I have got a version working, with both your Device Auth implementation for GitHub, and a copy/paste solution for BitBucket:
In the process, I made it fall back to device authentication if it couldn't open the browser automatically (suggesting headless operation), and for our use case, store the credentials to file.