The three ways to secure a CLI with Auth0, in order of most secure to least secure, are:

Device Authorization Flow

With input-constrained devices that connect to the internet, rather than authenticate the user directly, the device asks the user to go to a link on their computer or smartphone and authorize the device. This avoids a poor user experience for devices that do not have an easy way to enter text. To do this, device apps use the Device (drafted in OAuth 2.0), in which they pass along their to initiate the authorization process and get a token. The easiest way to implement the Device Authorization Flow is to follow the steps in Call API Using Device Authorization Flow. To learn more about the Device Authorization Flow in , you can review the Internet Engineering Task Force (IEFT) draft OAuth 2.0 Authorization Grant. You can also review our article, Device Authorization Flow.

Client Credentials Grant Flow

Use the Client Credentials Grant (CCG) flow when users and downstream aren’t involved, and you want to authenticate based on distinct machines or devices. If your identity provider supports sending credentials, then you should review our article, Client Credentials Flow. For details on how to implement this flow, refer to Call API Using the Client Credentials Flow.

Resource Owner Password Grant Flow

We do not recommend using the Password Grant (ROPG) flow for native applications. In the IEFT article, RFC 8252 OAuth 2.0 for Native Apps, it is recommended that “OAuth 2.0 authorization request from native apps should ONLY be made through external user-agents, primarily the user’s browser”. For details, see RFC 8252 Embedded User-Agents. Using Resource Owner Password Grant (ROPG) are less secure than the redirect-based options described above. ROPG is only for legacy. In the context of CLIs, it only makes sense for things like connection strings where you need to support legacy programs. If you must use ROPG in your native app instead of Device Flow as we recommend, then you can use our OIDC Compliant ROPG endpoint.