Has anyone ever written up CLI-to-web authentication flows, like the one Heroku did, or the one Teleport does? I’m wondering if there’s best practices and stuff.

Excellent timing, today's blog post on the @oktadev blog is about exactly that! developer.okta.com/blog/2022… (it applies to anything outside Okta too of course)

“Open the browser and enter the following code” isn’t usually how these flows work.

Some do! But further down it says the CLI app can launch the browser on the machine if it has the ability to do so. Same flow under the hood tho. The other option is for the CLI app to spin up a web server on localhost to catch the redirect developer.okta.com/blog/2018…

AWS SSO opens a browser with the code embedded as a query param, then you login to your account, while the CLI is polling for changes from AWS to get a valid auth token after authn is done. I use `open <uri>` on macos for this.