A browserless client can obtain an access token using device login. This is useful when running in an SSH session or an agent. Spotless acts as the device authorization server your client and continues login on another device. The user then completes login on their chosen device.
Using spotless you can use the device flow with any spotless integrated service, even if the upstream service doesn't support device auth.
Get in touch if the service you want is not supported.
A device login takes 3 steps and requires only an http client.
This needs to be run from the location that needs the authorization token, i.e. in the ssh session or agent.
Start by making a request to the authorization endpoint https://spotless.run/device/:service.
Include a client_id must be a localhost origin (i.e. http://localhost) and an optional list of scopes.
The available scopes are different per service.
This example will get an access token for airtable with read permission for records. Airtable requires at least one scope.
curl -s -X POST https://spotless.run/device/airtable \
-d 'client_id=http://localhost' \
-d 'scope=data.records:read'
The response contains:
- a user_code to show the human
- a verification_uri for the human to visit.
- a device_code for this device to use.
This step is run from the device with a browser, likely your laptop or phone.
Open the verification page https://spotless.run/verify.
Enter the code from the terminal and approve.
The original device polls the token endpoint https://spotless.run/token
curl -s -X POST https://spotless.run/token \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:device_code' \
--data-urlencode 'device_code=$DEVICE_CODE'
Until the login is approved the token endpoint replies authorization_pending.
After approval it returns the upstream access token.
The steps above allow you to manually login from a ssh session, with nothing setup. However it's quicker to use a helper scripts.