Authenticating a CLI with Okta

Mar 31, 2025
2 min read

The standard OAUTH authentication flow requires running a web server so there’s a place to redirect to after obtaining a token. But there’s another type of flow called device authorization that is meant for smart TVs and things like that, but it also works for a terminal application. This enables some really powerful terminal applications, because you can use REST APIs that require a bearer token. I learned how to do this using a burner Okta account.

Here is some Okta dev documentation on this. Their examples use cURL, but I wanted to write some Clojure to do it. The basic flow is like this:

initialize authentication by making a request to /oauth2/v1/device/authorize
open a web browser so the user can enter the provided device code
while the user is finishing, poll /oauth2/v1/token until the device code is accepted

The end result is a response with the bearer token you can then use with API requests. The entire auth flow in fewer than 70 lines with babashka:

#!/usr/bin/env bb
(ns boop
  (:require
   [babashka.fs      :as fs]
   [babashka.curl    :as curl]
   [cheshire.core    :as json]
   [babashka.process :refer [sh]]))

(def bearer-token-file (str (System/getProperty "user.home") "/.token_cache"))
(def client-id (System/getenv "OKTA_CLIENT_ID"))
(def device-auth-url (format "https://%s/oauth2/v1/device/authorize" (System/getenv "OKTA_HOSTNAME")))
(def token-url (format "https://%s/oauth2/v1/token" (System/getenv "OKTA_HOSTNAME")))

(defn save-token [token]
  (spit bearer-token-file token))

(defn initialize-auth
  [device-auth-url client-id]
  (->
   (curl/post device-auth-url {:form-params {:client_id client-id
                                             :scope "openid profile offline_access"}})
   :body
   (json/parse-string true)))

(defn poll-for-token
  [device-code client-id interval]
  (loop []
    (Thread/sleep (* (or interval 5) 1000))
    (let [{:keys [error access_token]}
          (->
           (curl/post token-url {:form-params {:device_code device-code
                                               :grant_type "urn:ietf:params:oauth:grant-type:device_code"
                                               :client_id client-id}
                                 :throw false})
           :body
           (json/parse-string true))]
      (if error
        (recur)
        access_token))))

(defn device-login
  [device-auth-url client-id]
  (let [{:keys [device_code user_code verification_uri interval]}
        (initialize-auth device-auth-url client-id)]
    (when (and device_code user_code verification_uri)
      (println "Go to" verification_uri "and enter code:" user_code)
      (println "Press any key to continue...")
      (read-line)
      (sh "open" verification_uri) ;; Open in browser
      (save-token (poll-for-token device_code client-id interval))
      (println "Login successful."))))

(defn device-logout
  [bearer-token-file]
  (fs/delete-if-exists bearer-token-file)
  (println "Logged out."))

(defn -main [& args]
  (case (first args)
    "login"  (device-login device-auth-url client-id)
    "logout" (device-logout bearer-token-file)
    (println "Usage: boop login")))

(when (= *file* (System/getProperty "babashka.file"))
  (apply -main *command-line-args*))