feat(oauth): use oauth device flow to authenticate with predefined src-cli OAuth client

[burmudar]

This adds the flag --device-flow to login command which then starts the OAuth device authentication flow. gh does the same flow when you authenticate from the cli with gh auth login.

• add package internal/oauthdevice
• discover oauth configuration via path .well-known/openid-configuration
• add client to handle flow, in particular to discover the endpoints it should use and ultimately poll for the token once the user as authorized the application.

I wanted to add --client-id in case people wanted to override the default client that is used which can also be used for testing, but when I tried creating a client on S2 it doesn't have the correct configuration as set from the UI to be able to do this.

Important

Seems like a lot of code but it's the tests that make up most of it

Test plan

• Unit tests

go test -v ./internal/oauthdevice/...
=== RUN   TestDiscover_Success
--- PASS: TestDiscover_Success (0.00s)
=== RUN   TestDiscover_Caching
--- PASS: TestDiscover_Caching (0.00s)
=== RUN   TestDiscover_Error
--- PASS: TestDiscover_Error (0.00s)
=== RUN   TestStart_Success
--- PASS: TestStart_Success (0.00s)
=== RUN   TestStart_WithScopes
--- PASS: TestStart_WithScopes (0.00s)
=== RUN   TestStart_Error
--- PASS: TestStart_Error (0.00s)
=== RUN   TestStart_NoDeviceEndpoint
--- PASS: TestStart_NoDeviceEndpoint (0.00s)
=== RUN   TestPoll_Success
--- PASS: TestPoll_Success (0.00s)
=== RUN   TestPoll_AuthorizationPending
--- PASS: TestPoll_AuthorizationPending (0.00s)
=== RUN   TestPoll_SlowDown
--- PASS: TestPoll_SlowDown (0.00s)
=== RUN   TestPoll_ExpiredToken
--- PASS: TestPoll_ExpiredToken (0.00s)
=== RUN   TestPoll_AccessDenied
--- PASS: TestPoll_AccessDenied (0.00s)
=== RUN   TestPoll_Timeout
--- PASS: TestPoll_Timeout (0.00s)
=== RUN   TestPoll_ContextCancellation
--- PASS: TestPoll_ContextCancellation (0.00s)
PASS
ok      github.com/sourcegraph/src-cli/internal/oauthdevice     0.625s

• Tested manually against my local SG

Amp thread

[eseliger]

no emojis in UI please 😬 since claude, this has an AI vibe slop feeling to it :(

[burmudar]

valid :) I'll remove it

[burmudar]

Removed. We need to do a larger sweep of the other emojis too :|

[eseliger]

what you get here is not a SG access token, it's an oauth token and it comes with an access token and refresh token (and expiry) and needs to regularly be refreshed.

I think we need to store the accesstoken/refreshtoken pair in secure storage and add some http Transport that refreshes the credential as needed.

[burmudar]

Will look at using https://github.com/99designs/keyring. We already use it with sg to store some secrets. It uses your OS keychain

[eseliger]

oh nice, cross OS too :)

[burmudar]

This change is part of the following stack:

• feat(oauth): use oauth device flow to authenticate with predefined src-cli OAuth client  #1223 ◀
  • feat(oauth): Add refresh to oauthdevice.Client #1227
    • feat(oauth): Use keyring to store oauth token #1228

_{Change managed by git-spice.}

[burmudar]

Should:

• always try to open the browser
• always print the url

[keegancsmith]

Do other CLI's require a flag for this? If I remember they are normally interactive right? You could still interactively decide between creating an access token vs oauth flows right?

[burmudar]

No they don't. It just happens. The plan it to make it part of the normal flow if you don't have SRC_ACCESS_TOKEN set

[eseliger]

src login is a misnomer currently haha, it should probably be renamed to src whoami and then src login is the interactive flow always 😬

[keegancsmith]

doesn't seem worth supporting a custom client-id given you shipped a predefined one. If a user still hasn't upgraded sourcegraph just fallback to the old flow?

[burmudar]

agreed. It's already removed just have to update