CLI Authentication #1139
-
|
Reading through the documentation and #385 about the different authentication flows (Browser, API) I was wondering what would be the best way to implement CLI authentication. Previously, I've implemented OIDC based auth flows for CLI tools where the browser was involved (obviously). That's not always possible (eg. in case of machine users or terminal environments), but it's often an available option. So CLI authentication is somewhere between browser and API auth from that perspective. Password auth would certainly work, but it's often not even available (in enterprise applications). When SSO (OIDC) is the only way to login how can we implement CLI logins? Implementing PAT (or similar strategies) support in the application is always an option (see #1106). What do you think? Does it worth implementing login in CLI tools? Or one should just opt for implementing PATs? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 4 replies
-
|
I think OIDC flows offer better user experience than PATs when a browser is available. If it's not, I think PATs are superior to entering your details in a CLI prompt as that works with CI etc. |
Beta Was this translation helpful? Give feedback.
-
|
Yeah, that's my thinking as well. Would that (OIDC) work with Kratos at the moment for a CLI tool? |
Beta Was this translation helpful? Give feedback.
-
|
It does but it's a bit complicated, we are planning on adding support for Ory Hydra after MFA lands |
Beta Was this translation helpful? Give feedback.
-
|
How would that support be different from let's say using any other OIDC provider? |
Beta Was this translation helpful? Give feedback.
-
|
see this issue for more info on the Hydra/Kratos integration: #273 |
Beta Was this translation helpful? Give feedback.
I think OIDC flows offer better user experience than PATs when a browser is available. If it's not, I think PATs are superior to entering your details in a CLI prompt as that works with CI etc.