step oauth command implements the OAuth 2.0 authorization flow.
OAuth is an open standard for access delegation, commonly used as a way for
Internet users to grant websites or applications access to their information on
other websites but without giving them the passwords. This mechanism is used by
companies such as Amazon, Google, Facebook, Microsoft and Twitter to permit the
users to share information about their accounts with third party applications or
websites. Learn more at https://en.wikipedia.org/wiki/OAuth.
This command by default performs the authorization flow with a preconfigured
Google application, but a custom one can be set combining the flags
--client-id, --client-secret, and --provider. The provider value
must be set to the OIDC discovery document (.well-known/openid-configuration)
endpoint. If Google is used this flag is not necessary, but the appropriate
value would be be https://accounts.google.com or
OAuth provider for authentication
Email to authenticate
Complete the flow while remaining only inside the terminal.
This flag defaults to use the Device Authorization Grant flow.
The alternative OAuth flow to use for input constrained devices.
console-flow is a case-insensitive string and must be one of:
Output HTTP Authorization Header (suitable for use with curl)
Output OIDC Token instead of OAuth Access Token
Only output the token
OAuth additional authentication parameters to include as part of the URL query.
Use this flag multiple times to add multiple parameters. This flag expects a
'key' and 'value' in the format '--auth-param "key=value"'.
Whether the Authorization Server prompts the End-User for reauthentication and consent.
OpenID standard defines the following values, but your provider may support some or none of them:
none: The Authorization Server MUST NOT display any authentication or consent user interface pages.
An error is returned if an End-User is not already authenticated or the Client does not have
pre-configured consent for the requested Claims or does not fulfill other conditions for
processing the request.
login: The Authorization Server SHOULD prompt the End-User for reauthentication. If it cannot
reauthenticate the End-User, it MUST return an error, typically login_required.
consent: The Authorization Server SHOULD prompt the End-User for consent before returning information
to the Client. If it cannot obtain consent, it MUST return an error, typically consent_required.
select_account: The Authorization Server SHOULD prompt the End-User to select a user account. This enables an
End-User who has multiple accounts at the Authorization Server to select amongst the multiple
accounts that they might have current sessions for. If it cannot obtain an account selection
choice made by the End-User, it MUST return an error, typically account_selection_required.
Generate a JWT Auth token instead of an OAuth Token (only works with service accounts)