login flow should be via the web

[danp]

Currently heroku login prompts for email and password. To do that, I need to flip to my password manager and get at least my password, if not my email as well for convenience.

It would be very nice if instead heroku login did a normal web-based OAuth flow so, if I get prompted for email and password by id.heroku.com or similar, I can just use my password manager as I do for the web normally.

[jdx]

cc @rwz @dmcinnes might this have something to do with the new auth stuff?

[dmcinnes]

cc @heroku/enterprise-experience-team Yeah it's certainly something we'd need for Federated Identity to work seamlessly with the CLI. Though we punted on that for the first revision :)

[friism]

As with most other improvements to Heroku, AppHarbor has already demonstrated how this can be solved:

• https://blog.appharbor.com/2012/06/21/oauth-for-net-desktop-applications
• https://github.com/appharbor/AppHarbor.NET/blob/master/AppHarbor.Sdk/AppHarborClient.Auth.cs

@dpiddy I do think that we'll have to support cli-only flows because people will want to script login on CI servers and so forth

[naaman]

@friism I'm not sure how they're avoiding a browser. They're opening a local webserver and running an instance of a browser. The App Harbor approach is just showing a way to avoid a centrally running web-based callback by running a local webserver. The harder problem is eliminating the handling of usernames and passwords AND eliminating the need for a browser.

@dpiddy there are also headless flows where a user may not have access to a browser. e.g. SSH sessions.

That said, I think defaulting to a web-based login flow would be ideal. Overall, logging into my CLI via a browser works smoothly with password managers and allows SSO users to seamlessly login. As a fallback, an option to login interactively via a flag seems like a reasonable way to allow headless users to login. @dickeyxxx recently proposed heroku login --interactive for this approach and heroku login defaults to popping open a web browser.

[friism]

@naaman they're not avoiding a browser, that wasn't my point.

[friism]

(just wanted to show how one could snatch the OAuth callback)

[danp]

Who is scripting heroku login for CI? Shouldn't they be using an oauth token?

I just want to be able to use 1password/lastpass as part of heroku login instead of having to copy my email/password into the terminal.

[balansubr]

wow. I didn't even think of that benefit. No more manual copying password from 1password.

On Monday, November 16, 2015, Dan Peterson notifications@github.com wrote:

Who is scripting heroku login for CI? Shouldn't they be using an oauth token?

I just want to be able to use 1password/lastpass as part of heroku login instead of having to copy my email/password into the terminal.

— Reply to this email directly or view it on GitHub https://github.com/heroku/heroku-cli/issues/45#issuecomment-157059456.

[friism]

This might be interesting: http://blogs.msdn.com/b/visualstudioalm/archive/2015/11/18/visual-studio-team-services-git-credential-manager-for-mac-and-linux.aspx

[jdx]

cc @paulelliott @ike-delorenzo

What I'm currently proposing is to automatically use the browser to login unless --interactive is set. In case I can't open a browser (such as over ssh) I'll show a URL the user can go to to complete the login.

The first pass is going to involve copy and pasting the key, but I want a solution that uses polling or something from the CLI to SSO in order to make the user not have to do anything other than fill the browser form out.

[danp]

That sounds pretty good. So it would be something like this?

1. run heroku login
2. browser opens going to special URL
3. I sign in if necessary
4. CLI polls something based on the special URL to get its token once I sign in

[jdx]

you got it!

[jdx]

how does this look?

[friism]

should there be an option to remember the choice or specify it on command-line (eg. users might tire of having to hit b every time.

Looks great

[edmorley]

how does this look?

@jdxcode hi! Mozilla has just switched to using SSO for our Enterprise account, and the 8 hour token expiry and manual copy paste flow from browser to console is pretty painful in comparison to the previous workflow. The screen recording from the quoted comment suggests there is a polling based approach in the works. Is that still planned?

[jdx]

it's in beta right now, heroku update beta && heroku login

[edmorley]

Ah I'd looked only in this repo and not seen the alternative implementation in heroku-cli-command. The new feature works great - thank you!

[danp]

Fixed by the new login flow as part of https://blog.heroku.com/sso-improvements! 🎉