User authentication

[christiansmith]

In order to manage servers remotely, we want to be able to use the HTTP API via the CLI. This means we need authenticated users with an OAuth 2.0 token scoped for administration. There are a number of implications in this requirement along with questions regarding the implementation.

1. The CLI could potentially be used to manage more than one deployment.

How do we manage such context? Centralized storage of server credentials? Running the command from a specific directory relative to a server config file?

2. The CLI must be registered as a client.

How is this accomplished? OIDC dynamic registration? Predefined client credentials?

3. Like all native clients, there's a disconnect between the browser and the CLI.

How do we handle the "transfer problem"?

There's a related issue on the Anvil Connect repo for native clients: https://github.com/anvilresearch/connect/issues/153

[christiansmith]

It should be noted that Divshot's cli seems to have this sorted out nicely from a UX perspective. It's worth exploring their code to see if we can borrow any ideas.

[scottcorgan]

We just open a url to an auth page and poll in the background until that user logs in.

[christiansmith]

@scottcorgan it works beautifully too. I'd like to figure out how to get that kind of behavior within the context of an OAuth/OIDC flow so that it's a general mechanism other native clients can make use of.

By the way, how's nash 3.0 coming along? I expect we're going to be creating a large number of "tasks" and it would be awesome to start with the new syntax...

We'd love to see you at one of the weekly hangouts on Thursdays at 9am PST if you're up for a discussion.

[scottcorgan]

@christiansmith Hit me up over email. I'd love to chat.

[christiansmith]

Will do.

[christiansmith]

Closing this because we have a workable CLI login now. We'll make a separate issue for browser-based CLI signin.