OAuth Device Flow + App ID feedback/questions

[colemickens]

1. Though I do love a good use of OAuth Device Flow, it feels a bit awkward for this style of webapp. Is it easier for some reason? Is it the most practical way to do auth for a fully-client-side webapp and/or for GitHub, for some reason?

2. I was very surprised to see that I'd already authorized this app. I guess I'd ask that you consider provisioning separate apps, both as a good hygiene, future growth, changing it now is probably easier, and it just feels better? I certainly raised an eyebrow.

[kylecarbs]

Though I do love a good use of OAuth Device Flow, it feels a bit awkward for this style of webapp. Is it easier for some reason? Is it the most practical way to do auth for a fully-client-side webapp and/or for GitHub, for some reason?

I think it's the best route for now. Pulldash initially started as a desktop app, in that case I was using your gh CLI credentials, which actually use the same OAuth2 flow that Pulldash does.

The unfortunate thing about this flow is the expansive permissions needed for PR reviews.

I was very surprised to see that I'd already authorized this app. I guess I'd ask that you consider provisioning separate apps, both as a good hygiene, future growth, changing it now is probably easier, and it just feels better? I certainly raised an eyebrow.

Do you mean separate apps for desktop and web? This app was just created a few days ago specifically for Pulldash, not recycled from a prior project.

[colemickens]

This app was just created a few days ago specifically for Pulldash, not recycled from a prior project.

I must have just been confused then. I thought it came through as coder and thought maybe it was a re-used app that I'd previously authorized from another Coder project.

Okay, in that case maybe just one other question - does it make sense to document how to provision credentials for my own OAuth app that I control fully? For example, my employer's GitHub organization doesn't allow me to consent enough, to post the review (and right now, pulldash actually just drops the change on the ground when it gets the 4xx back). Rather than ask my boss to allow a third party app, I might be more able to easily convince him to provision us our OWN OAuth app, that I can then use with a fully offline ("vetted"...?) copy of pulldash?

Or maybe you have other thoughts.

Thanks! This is so exciting, it was really nice to use and I'm excited to try it more. Thanks for the attention here, also.