docker
diff --git a/‎cli/command/registry/login.go‎
Lines changed: 14 additions & 3 deletions b/‎cli/command/registry/login.go‎
Lines changed: 14 additions & 3 deletions
diff --git a/‎cli/command/registry/login_test.go‎
Lines changed: 3 additions & 1 deletion b/‎cli/command/registry/login_test.go‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎cli/command/registry/logout.go‎
Lines changed: 9 additions & 1 deletion b/‎cli/command/registry/logout.go‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎cli/internal/oauth/api/api.go‎
Lines changed: 228 additions & 0 deletions b/‎cli/internal/oauth/api/api.go‎
Lines changed: 228 additions & 0 deletions
@@ -10,6 +10,7 @@ import (
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
 	configtypes "github.com/docker/cli/cli/config/types"
+	"github.com/docker/cli/cli/internal/oauth/manager"
 	registrytypes "github.com/docker/docker/api/types/registry"
 	"github.com/docker/docker/client"
 	"github.com/docker/docker/errdefs"
@@ -100,9 +101,19 @@ func runLogin(ctx context.Context, dockerCli command.Cli, opts loginOptions) err
 		response, err = loginWithCredStoreCreds(ctx, dockerCli, &authConfig)
 	}
 	if err != nil || authConfig.Username == "" || authConfig.Password == "" {
-		err = command.ConfigureAuth(ctx, dockerCli, opts.user, opts.password, &authConfig, isDefaultRegistry)
-		if err != nil {
-			return err
+		if isDefaultRegistry && opts.user == "" && opts.password == "" {
+			// todo(laurazard: clean this up
+			store := dockerCli.ConfigFile().GetCredentialsStore(serverAddress)
+			oauthAuthConfig, err := manager.NewManager(store).LoginDevice(ctx, dockerCli.Err())
+			if err != nil {
+				return err
+			}
+			authConfig = registrytypes.AuthConfig(*oauthAuthConfig)
+		} else {
+			err = command.ConfigureAuth(ctx, dockerCli, opts.user, opts.password, &authConfig, isDefaultRegistry)
+			if err != nil {
+				return err
+			}
 		}
 
 		response, err = clnt.RegistryLogin(ctx, authConfig)
 
@@ -213,7 +213,9 @@ func TestLoginTermination(t *testing.T) {
 
 	runErr := make(chan error)
 	go func() {
-		runErr <- runLogin(ctx, cli, loginOptions{})
+		runErr <- runLogin(ctx, cli, loginOptions{
+			user: "test-user",
+		})
 	}()
 
 	// Let the prompt get canceled by the context
 
@@ -7,6 +7,7 @@ import (
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/config/credentials"
+	"github.com/docker/cli/cli/internal/oauth/manager"
 	"github.com/docker/docker/registry"
 	"github.com/spf13/cobra"
 )
@@ -34,7 +35,7 @@ func NewLogoutCommand(dockerCli command.Cli) *cobra.Command {
 	return cmd
 }
 
-func runLogout(_ context.Context, dockerCli command.Cli, serverAddress string) error {
+func runLogout(ctx context.Context, dockerCli command.Cli, serverAddress string) error {
 	var isDefaultRegistry bool
 
 	if serverAddress == "" {
@@ -53,6 +54,13 @@ func runLogout(_ context.Context, dockerCli command.Cli, serverAddress string) e
 		regsToLogout = append(regsToLogout, hostnameAddress, "http://"+hostnameAddress, "https://"+hostnameAddress)
 	}
 
+	if isDefaultRegistry {
+		store := dockerCli.ConfigFile().GetCredentialsStore(registry.IndexServer)
+		if err := manager.NewManager(store).Logout(ctx); err != nil {
+			fmt.Fprintf(dockerCli.Err(), "WARNING: %v\n", err)
+		}
+	}
+
 	fmt.Fprintf(dockerCli.Out(), "Removing login credentials for %s\n", hostnameAddress)
 	errs := make(map[string]error)
 	for _, r := range regsToLogout {
 
@@ -0,0 +1,228 @@
+// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
+//go:build go1.21
+
+package api
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"runtime"
+	"strings"
+	"time"
+
+	"github.com/docker/cli/cli/version"
+)
+
+type OAuthAPI interface {
+	GetDeviceCode(ctx context.Context, audience string) (State, error)
+	WaitForDeviceToken(ctx context.Context, state State) (TokenResponse, error)
+	RevokeToken(ctx context.Context, refreshToken string) error
+	GetAutoPAT(ctx context.Context, audience string, res TokenResponse) (string, error)
+}
+
+// API represents API interactions with Auth0.
+type API struct {
+	// TenantURL is the base used for each request to Auth0.
+	TenantURL string
+	// ClientID is the client ID for the application to auth with the tenant.
+	ClientID string
+	// Scopes are the scopes that are requested during the device auth flow.
+	Scopes []string
+}
+
+// TokenResponse represents the response of the /oauth/token route.
+type TokenResponse struct {
+	AccessToken      string  `json:"access_token"`
+	IDToken          string  `json:"id_token"`
+	RefreshToken     string  `json:"refresh_token"`
+	Scope            string  `json:"scope"`
+	ExpiresIn        int     `json:"expires_in"`
+	TokenType        string  `json:"token_type"`
+	Error            *string `json:"error,omitempty"`
+	ErrorDescription string  `json:"error_description,omitempty"`
+}
+
+var ErrTimeout = errors.New("timed out waiting for device token")
+
+// GetDeviceCode initiates the device-code auth flow with the tenant.
+// The state returned contains the device code that the user must use to
+// authenticate, as well as the URL to visit, etc.
+func (a API) GetDeviceCode(ctx context.Context, audience string) (State, error) {
+	data := url.Values{
+		"client_id": {a.ClientID},
+		"audience":  {audience},
+		"scope":     {strings.Join(a.Scopes, " ")},
+	}
+
+	deviceCodeURL := a.TenantURL + "/oauth/device/code"
+	resp, err := postForm(ctx, deviceCodeURL, strings.NewReader(data.Encode()))
+	if err != nil {
+		return State{}, err
+	}
+	defer func() {
+		_ = resp.Body.Close()
+	}()
+
+	if resp.StatusCode != http.StatusOK {
+		return State{}, tryDecodeOAuthError(resp)
+	}
+
+	var state State
+	err = json.NewDecoder(resp.Body).Decode(&state)
+	if err != nil {
+		return state, fmt.Errorf("failed to get device code: %w", err)
+	}
+
+	return state, nil
+}
+
+func tryDecodeOAuthError(resp *http.Response) error {
+	var body map[string]any
+	if err := json.NewDecoder(resp.Body).Decode(&body); err == nil {
+		if errorDescription, ok := body["error_description"].(string); ok {
+			return errors.New(errorDescription)
+		}
+	}
+	return errors.New("unexpected response from tenant: " + resp.Status)
+}
+
+// WaitForDeviceToken polls the tenant to get access/refresh tokens for the user.
+// This should be called after GetDeviceCode, and will block until the user has
+// authenticated or we have reached the time limit for authenticating (based on
+// the response from GetDeviceCode).
+func (a API) WaitForDeviceToken(ctx context.Context, state State) (TokenResponse, error) {
+	ticker := time.NewTicker(state.IntervalDuration())
+	defer ticker.Stop()
+	timeout := time.After(state.ExpiryDuration())
+
+	for {
+		select {
+		case <-ctx.Done():
+			return TokenResponse{}, ctx.Err()
+		case <-ticker.C:
+			res, err := a.getDeviceToken(ctx, state)
+			if err != nil {
+				return res, err
+			}
+
+			if res.Error != nil {
+				if *res.Error == "authorization_pending" {
+					continue
+				}
+
+				return res, errors.New(res.ErrorDescription)
+			}
+
+			return res, nil
+		case <-timeout:
+			return TokenResponse{}, ErrTimeout
+		}
+	}
+}
+
+// getToken calls the token endpoint of Auth0 and returns the response.
+func (a API) getDeviceToken(ctx context.Context, state State) (TokenResponse, error) {
+	data := url.Values{
+		"client_id":   {a.ClientID},
+		"grant_type":  {"urn:ietf:params:oauth:grant-type:device_code"},
+		"device_code": {state.DeviceCode},
+	}
+	oauthTokenURL := a.TenantURL + "/oauth/token"
+
+	resp, err := postForm(ctx, oauthTokenURL, strings.NewReader(data.Encode()))
+	if err != nil {
+		return TokenResponse{}, fmt.Errorf("failed to get tokens: %w", err)
+	}
+	defer func() {
+		_ = resp.Body.Close()
+	}()
+
+	// this endpoint returns a 403 with an `authorization_pending` error until the
+	// user has authenticated, so we don't check the status code here and instead
+	// decode the response and check for the error.
+	var res TokenResponse
+	err = json.NewDecoder(resp.Body).Decode(&res)
+	if err != nil {
+		return res, fmt.Errorf("failed to decode response: %w", err)
+	}
+
+	return res, nil
+}
+
+// RevokeToken revokes a refresh token with the tenant so that it can no longer
+// be used to get new tokens.
+func (a API) RevokeToken(ctx context.Context, refreshToken string) error {
+	data := url.Values{
+		"client_id": {a.ClientID},
+		"token":     {refreshToken},
+	}
+
+	revokeURL := a.TenantURL + "/oauth/revoke"
+	resp, err := postForm(ctx, revokeURL, strings.NewReader(data.Encode()))
+	if err != nil {
+		return err
+	}
+	defer func() {
+		_ = resp.Body.Close()
+	}()
+
+	if resp.StatusCode != http.StatusOK {
+		return tryDecodeOAuthError(resp)
+	}
+
+	return nil
+}
+
+func postForm(ctx context.Context, reqURL string, data io.Reader) (*http.Response, error) {
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, reqURL, data)
+	if err != nil {
+		return nil, err
+	}
+
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	cliVersion := strings.ReplaceAll(version.Version, ".", "_")
+	req.Header.Set("User-Agent", fmt.Sprintf("docker-cli:%s:%s-%s", cliVersion, runtime.GOOS, runtime.GOARCH))
+
+	return http.DefaultClient.Do(req)
+}
+
+func (a API) GetAutoPAT(ctx context.Context, audience string, res TokenResponse) (string, error) {
+	patURL := audience + "/v2/access-tokens/desktop-generate"
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, patURL, nil)
+	if err != nil {
+		return "", err
+	}
+
+	req.Header.Set("Authorization", "Bearer "+res.AccessToken)
+	req.Header.Set("Content-Type", "application/json")
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return "", err
+	}
+	defer func() {
+		_ = resp.Body.Close()
+	}()
+
+	if resp.StatusCode != http.StatusCreated {
+		return "", fmt.Errorf("unexpected response from Hub: %s", resp.Status)
+	}
+
+	var response patGenerateResponse
+	err = json.NewDecoder(resp.Body).Decode(&response)
+	if err != nil {
+		return "", err
+	}
+
+	return response.Data.Token, nil
+}
+
+type patGenerateResponse struct {
+	Data struct {
+		Token string `json:"token"`
+	}
+}