Add Oauth2 login to cli

[max-wittig]

Description of the problem, including code/CLI snippet

Let's see if we can do something similar to the GitHub CLI

[nejch]

I kind of looked into this a bit for fun, as a next step now that the CLI is a bit easier to use. I think it would be possible to do conveniently only for GitLab.com, if we

1. register an OAuth app on GitLab.com (e.g. a group-level oauth app from python-gitlab/ with PKCE)
2. commit the client ID in the repo (at least that's what gh does, even the secret actually, see below), and then
3. follow the PKCE flow. A nice description is actually available for this in the pkce-flow package.

But for self-managed users would probably need to create their own OAuth apps and paste in the ID and instance URL, so the convenience over just creating a PAT in the web UI is kind of lost. It would actually be easier then to just steal the browser cookies and create a PAT like that, which seems hacky to me. Or no? 😁

If I'm not mistaken, it seems gh can get away with this because their CLI app is completely baked into the GitHub.com as well as GitHub EE servers themselves (just by reading things like cli/cli#4523, but I can't tell as the rest is closed source).

See:
https://github.com/cli/cli/blob/a9b2c0dc82158a1d31fd9c3c2d94e5f2511be98a/internal/authflow/flow.go#L17-L24

and
https://github.com/cli/cli/blob/eaa64df80193f4f632d574f25729460d8b657819/internal/authflow/flow.go#L76-L78

But maybe I'm just a bit clueless here with OAuth. Open to ideas @max-wittig @JohnVillalovos 😅

Edit: FWIW, glab also just points people to the preferences page to create and paste a token. Maybe that's a reasonable start. https://github.com/profclems/glab/blob/925d768472efc2a60c2f631b11f132bb2cf3806b/commands/auth/login/login.go#L335-L338

[max-wittig]

Thanks for your investigation @nejch. As most people are using gitlab.com, we could think about adding this.

Otherwise it's really mostly a one-time thing for most users, maybe a message is really enough for now.

[mstenz]

As most people are using gitlab.com, we could think about adding this.

How did you come up with this? Probably this would be valid in the OpenSource world, but EE very likely uses self-installed variant for different reasons I have the feeling (and also speaking for myself)

[nejch]

@mstenz yes I'd say that assumption is for open source.

For self-hosted EE (or Free) instances, we can't really do this flow without users also providing the instance URL and someone creating an OAuth application on that instance, then providing its client ID. At that point it makes more sense to just create a token IMO.

[mstenz]

maybe you can add something like question(s) where the user can put in these fields very easily and probably also save them in a connection file so it is not required to be entered all the time.

[nejch]

There is now some motivation on the GitLab side to make this more feasible across self-managed instances as well:

https://gitlab.com/gitlab-org/gitlab/-/issues/413809

We could potentially hook into that if it gets implemented. Then the gitlab.com vs self-managed discussion is no longer needed :)