Closed michielbdejong closed 1 month ago
Oh wait, the command line script is actually a client, it should have its own client secret, different from what other instances of the same script on other server would have. So we need dynamic client registration. And from there it could maybe do something like lodging intent / fapi-ciba.
Phase 1: Client sends data to AS over server-to-server https and back Phase 2: Client shows a URL in the CLI, user clicks it and follows redirect until success Phase 3: Client receives credentials it needed (probably repeated polling) Phase 4: User closes the browser window
Ah, I know piece of software that uses something like this: npm publish
.
l$ npm login
npm notice Log in on https://registry.npmjs.org/
Login at:
https://www.npmjs.com/login?next=/login/cli/ee85d047-e197-46db-9dd9-663c88fc0267
Press ENTER to open in the browser...
Logged in on https://registry.npmjs.org/.
I'll copy that pattern!
Opening the browser with
root@vultr3:~/ts-oauth2-server-example# npm login
npm notice Log in on https://registry.npmjs.org/
Login at:
https://www.npmjs.com/login?next=/login/cli/3fa0be82-91e7-4c22-89cd-7d97b13a88be
Press ENTER to open in the browser...
Browser unavailable. Please open the URL manually:
https://www.npmjs.com/login?next=/login/cli/3fa0be82-91e7-4c22-89cd-7d97b13a88be
⠧
I can copy the code from https://github.com/npm/cli/blob/latest/lib/utils/open-url.js
Got this working now. It polls the ticket to get credentials. After that it could access the owncloud server once I set that up.
It would be nice if the WebDAV mounter could run anywhere, but then how does it receive back the token from the browser? Should it open up a https port on the server where it runs, so that the browser can post in the resulting access token there? How do other people do this? Maybe a device code flow?