This works, but it has a few downsides (beyond just being undocumented ).
I think an OAuth API would be really nice for authentication with Balena. It would allow for a standards-based auth API and would ideally enable long-lived refresh tokens to keep the user logged in.
An OAuth password grant flow would be great, but a web-based OAuth authorization code flow with the PKCE extension might be even better for most public (especially third party) clients:
The user wouldn’t share credentials directly with the third party client
The user may already be logged into balena’s website (or use a browser’s password autofill)
Easier support for MFA and third party auth providers (GitHub or Google)
I’d love to hear if this is something that has been considered or is possibly on the road map.
open https://dashboard.balena-cloud.com/login/cli/foobar%253A%2F%2F127.0.0.1%253A8989%2Fauth from your app
let foobar to be your custom scheme, register it
user can login & click on the Authorize button
I just tested this approach and it works. The only thing you have to keep it in mind is that you have to change http (scheme) only. Otherwise it won’t work. The code is probably checking for the 127.0.0.1 & /auth? Don’t know for sure. Sounds like a not very reliable way to me. Good as a start.
You can also inspect the https://github.com/balena-io/balena-cli source to check what we’re doing. With balena login, you can use credentials and they can be stored in the iOS keychain already. You can ask the keychain for the website password, can be autofilled.
Anyway, none of these things are officially supported (AFAIK) and we should wait for the @shaunmulligan answer.
@zrzka I had played a bit with this approach as well. It’s a good hack, but has similar downsides to the JWT API (mostly being undocumented and providing short-lived session tokens).
Thanks for confirming that it’s technically possible, though
We do have this as part of our roadmap. I can’t be specific in terms of any timeframe for this because, as far as I know, there was no work done yet. I can confirm though that this is something we do have on our radar and seeing more people interested in it, gives us an additional incentive. In order to track this activity, you can use a card we created in our public trello board:. https://trello.com/c/PW0Xcwbi/75-make-balenacloud-an-oauth-provider.
).
