Secure a CLI with Auth0
The three ways to secure a CLI with Auth0, in order of most secure to least secure, are:
Device Authorization Flow for when the user can't open a browser
Client Credentials Grant Flow for applications acting on their own behalf and not attributable to a user
Resource Owner Password Grant Flow only for when you're trying to authenticate the CLI client itself, which is a very rare situation (otherwise not recommended)
Device Authorization Flow
With input-constrained devices that connect to the internet, rather than authenticate the user directly, the device asks the user to go to a link on their computer or smartphone and authorize the device. This avoids a poor user experience for devices that do not have an easy way to enter text. To do this, device apps use the Device Authorization Flow (drafted in OAuth 2.0), in which they pass along their Client ID to initiate the authorization process and get a token.
The easiest way to implement the Device Authorization Flow is to follow the steps in Call API Using Device Authorization Flow.
To learn more about the Device Authorization Flow in OAuth 2.0, you can review the Internet Engineering Task Force (IEFT) draft OAuth 2.0 Authorization Grant. You can also review our article, Device Authorization Flow.
Client Credentials Grant Flow
Use the Client Credentials Grant (CCG) flow when users and downstream identity providers aren't involved, and you want to authenticate based on distinct machines or devices.
If your identity provider supports sending credentials, then you should review our article, Client Credentials Flow. For details on how to implement this flow, refer to Call API Using the Client Credentials Flow.
Resource Owner Password Grant Flow
We do not recommend using the Resource Owner Password Grant (ROPG) flow for native applications. In the IEFT article, RFC 8252 OAuth 2.0 for Native Apps, it is recommended that “OAuth 2.0 authorization request from native apps should ONLY be made through external user-agents, primarily the user’s browser”. For details, see RFC 8252 Embedded User-Agents.
Using Resource Owner Password Grant (ROPG) are less secure than the redirect-based options described above. ROPG is only for legacy. In the context of CLIs, it only makes sense for things like connection strings where you need to support legacy programs.
If you must use ROPG in your native app instead of Device Flow as we recommend, then you can use our OIDC Compliant ROPG endpoint.