Context
We want ol auth login to open the browser for OAuth authorization (like Doist/todoist-cli#2) instead of prompting for a manual API token paste.
Blocker
Outline's OAuth server requires HTTPS redirect URIs unconditionally, which prevents the standard http://localhost:PORT/callback pattern used by CLI tools. This violates RFC 8252 §7.3 (Loopback Interface Redirection for native apps).
Upstream issue: outline/outline#11254
Once that's resolved, we can implement the full OAuth PKCE flow here.
Implementation plan
To be used with a coding agent, for instance
## OAuth PKCE Implementation Plan
### New files
- `src/lib/pkce.ts` — PKCE utilities (generateCodeVerifier, generateCodeChallenge, generateState)
- `src/lib/oauth-server.ts` — Local HTTP callback server (listen on localhost, wait for redirect with auth code, validate state, return code)
- `src/lib/oauth.ts` — buildAuthorizationUrl + exchangeCodeForToken (POST to /oauth/token with code_verifier, no client_secret)
### Modified files
- `src/commands/auth.ts` — `ol auth login` triggers OAuth flow (open browser, start local server, exchange code); `ol auth login --token <token>` preserved for manual auth
- `package.json` — Add `open` dependency
### Flow
1. Generate PKCE code_verifier + code_challenge + state
2. Start local callback server on localhost
3. Open browser to `{base_url}/oauth/authorize?client_id=...&code_challenge=...&state=...&redirect_uri=http://localhost:PORT/callback`
4. User authorizes in browser → redirected to local server
5. Local server validates state, extracts code
6. Exchange code for access_token via POST to /oauth/token with code_verifier
7. Save token to config
### Notes
- Requires user to register an OAuth app in Outline (Settings → Applications) as a "public" client type
- The client_id will need to be configured (env var or config), not hardcoded — unlike todoist-cli which uses a single shared app
- 3-minute timeout on callback server
- Preserve `ol auth login --token` as fallback
Context
We want
ol auth loginto open the browser for OAuth authorization (like Doist/todoist-cli#2) instead of prompting for a manual API token paste.Blocker
Outline's OAuth server requires HTTPS redirect URIs unconditionally, which prevents the standard
http://localhost:PORT/callbackpattern used by CLI tools. This violates RFC 8252 §7.3 (Loopback Interface Redirection for native apps).Upstream issue: outline/outline#11254
Once that's resolved, we can implement the full OAuth PKCE flow here.
Implementation plan
To be used with a coding agent, for instance