-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement OAuth Device Authorization flow #1522
Conversation
Before, we implemented the OAuth app authorization flow which requires a callback URL. To provide such a URL, we had to spin up a local HTTP server, which was brittle and did not cover cases where a person might want to authenticate with a browser that runs on a different machine than the GitHub CLI process. This implements the OAuth Device Authorization flow where the user is given a one-time code and asked to paste it in the browser flow. There is no callback URL, so we can avoid spinning up a local server, and the user may open a browser on any of their devices, as long as they provide the correct one-time code. If the Device Authorization flow is detected to be unavailable for the OAuth app (right now, it's specifically enabled for GitHub CLI) or for an older GitHub Enterprise instance, this falls back to the old app authentication flow.
Nice work!
|
I want to avoid falling back to the old OAuth flow for just any HTTP 4xx/5xx because other statuses should be allowed to surface a problem with a request or the server.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this rules 👍
We should be printing the URL out so that users can choose to abort and manually open it, but that can be a follow up
@tierninho Thanks for the thorough review!
We are, for commands that don't define their own
Ah, that's my bad. I just pushed a change that fixes logging in to GHE using the old flow! Thanks for the heads-up 🙇
I can see how this is a confusing experience, but there's no way around it that I can think of. Because you've Ctrl-C'ed the original process, you cannot use that first one-time code to complete the authentication process. The server will accept it, but there is no client to finalize the flow with that code anymore. Thanks for raising this, but I think it's an edge case which our users typically won't run into. |
Thanks for the update. Confirming the 403 error is no longer there with the changes. Was there supposed to be a space here: cli/pkg/cmd/auth/login/login.go Line 259 in 0cc5948
|
@tierninho This wasn't introduced in this PR, but we can tweak it here! @vilmibm Do you feel strongly about the If we keep it, should we expand it to a more readable |
I'd like to keep it in; I'm in favor of it being more explicit. |
https://github.com/login/device That's the URL that should be used for a separate device, right? |
@jsejcksn Yes. You can also ensure that the URL is printed by setting |
Before, we implemented the OAuth app authorization flow which requires a callback URL. To provide such a URL, we had to spin up a local HTTP server, which was brittle and did not cover cases where a person might want to authenticate with a browser that runs on a different machine than the GitHub CLI process.
This implements the OAuth Device Authorization flow where the user is given a one-time code and asked to paste it in the browser flow. There is no callback URL, so we can avoid spinning up a local server, and the user may open a browser on any of their devices, as long as they provide the correct one-time code.
This is how it looks like:
Here is the web-based portion of the flow
The user has to then close their browser tab and return to the terminal:
If the Device Authorization flow is detected to be unavailable for the OAuth app (right now, it's specifically enabled for GitHub CLI) or for an older GitHub Enterprise instance, this falls back to the old app authentication flow.
Fixes #297, fixes #773