joggrdocs
diff --git a/‎.changeset/config.json‎
Lines changed: 1 addition & 5 deletions b/‎.changeset/config.json‎
Lines changed: 1 addition & 5 deletions
diff --git a/‎.changeset/oauth-pkce-device-code.md‎
Lines changed: 21 additions & 0 deletions b/‎.changeset/oauth-pkce-device-code.md‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎docs/concepts/authentication.md‎
Lines changed: 77 additions & 11 deletions b/‎docs/concepts/authentication.md‎
Lines changed: 77 additions & 11 deletions
diff --git a/‎docs/guides/add-authentication.md‎
Lines changed: 107 additions & 13 deletions b/‎docs/guides/add-authentication.md‎
Lines changed: 107 additions & 13 deletions
diff --git a/‎examples/authenticated-service/cli/src/index.ts‎
Lines changed: 3 additions & 1 deletion b/‎examples/authenticated-service/cli/src/index.ts‎
Lines changed: 3 additions & 1 deletion
@@ -7,9 +7,5 @@
   "access": "public",
   "baseBranch": "main",
   "updateInternalDependencies": "patch",
-  "ignore": [
-    "@examples/simple",
-    "@examples/advanced",
-    "@examples/authenticated-service"
-  ]
+  "ignore": ["@examples/simple", "@examples/advanced", "@examples/authenticated-service"]
 }
@@ -0,0 +1,21 @@
+---
+"@kidd-cli/core": minor
+---
+
+Replace non-standard OAuth flow with spec-compliant PKCE (RFC 7636) and add Device Authorization Grant (RFC 8628)
+
+The `oauth` resolver now implements the standard OAuth 2.0 Authorization Code flow with PKCE. The previous non-standard direct-token-POST flow has been removed entirely.
+
+**Breaking change:** `OAuthSourceConfig` now requires `clientId` and `tokenUrl` in addition to `authUrl`.
+
+Before:
+```ts
+{ source: 'oauth', authUrl: 'https://example.com/auth' }
+```
+
+After:
+```ts
+{ source: 'oauth', clientId: 'my-client-id', authUrl: 'https://example.com/authorize', tokenUrl: 'https://example.com/token' }
+```
+
+New `device-code` resolver added for headless/browserless environments (RFC 8628).
@@ -112,22 +112,73 @@ Reads any credential type from a JSON file on disk via kidd's store system.
 | `filename` | `string` | `'auth.json'` | Filename within the store dir |
 | `dirName`  | `string` | `.<cli-name>` | Store directory name          |
 
-### `oauth` -- OAuth Browser Flow
+### `oauth` -- OAuth Authorization Code + PKCE (RFC 7636)
 
-Opens the user's browser to an auth URL, starts a local HTTP server to receive the callback, and extracts the token from a POST request with a JSON body `{ "token": "<value>" }`. Query-string tokens are not accepted to prevent credential leakage through browser history, server logs, and referrer headers.
+Implements the standard OAuth 2.0 Authorization Code flow with Proof Key for Code Exchange (PKCE) per [RFC 7636](https://tools.ietf.org/html/rfc7636) and [RFC 8252](https://tools.ietf.org/html/rfc8252) for native apps.
+
+The flow:
+
+1. CLI generates a `code_verifier` and derives the `code_challenge` (S256)
+2. CLI starts a local HTTP server on `127.0.0.1` and opens the browser to the authorization URL
+3. User authenticates in the browser; the authorization server redirects back to the local server with an authorization code via GET
+4. CLI exchanges the code at the token endpoint with the `code_verifier`
+5. Token endpoint validates the verifier and returns an access token
+
+```ts
+{
+  source: 'oauth',
+  clientId: 'my-client-id',
+  authUrl: 'https://example.com/authorize',
+  tokenUrl: 'https://example.com/token',
+  scopes: ['openid', 'profile'],
+}
+```
+
+| Option         | Type                | Default       | Description                       |
+| -------------- | ------------------- | ------------- | --------------------------------- |
+| `clientId`     | `string`            | --            | OAuth client ID (required)        |
+| `authUrl`      | `string`            | --            | Authorization endpoint (required) |
+| `tokenUrl`     | `string`            | --            | Token endpoint (required)         |
+| `scopes`       | `readonly string[]` | `[]`          | OAuth scopes to request           |
+| `port`         | `number`            | `0` (random)  | Local callback server port        |
+| `callbackPath` | `string`            | `'/callback'` | Callback endpoint path            |
+| `timeout`      | `number`            | `120_000`     | Timeout in milliseconds           |
+
+Compatible with any OAuth 2.0 provider that supports PKCE with public clients, including Clerk (configured as a public OAuth application).
+
+### `device-code` -- Device Authorization Grant (RFC 8628)
+
+Implements the [OAuth 2.0 Device Authorization Grant](https://tools.ietf.org/html/rfc8628) for headless or browserless environments.
+
+The flow:
+
+1. CLI requests a device code from the authorization server
+2. CLI displays a verification URL and user code for the user to enter in a browser
+3. CLI polls the token endpoint until the user completes authorization
+4. Token endpoint returns an access token on success
 
 ```ts
-{ source: 'oauth', authUrl: 'https://example.com/auth', port: 0, timeout: 120_000 }
+{
+  source: 'device-code',
+  clientId: 'my-client-id',
+  deviceAuthUrl: 'https://example.com/device/code',
+  tokenUrl: 'https://example.com/token',
+  scopes: ['openid'],
+}
 ```
 
-| Option         | Type     | Default       | Description                  |
-| -------------- | -------- | ------------- | ---------------------------- |
-| `authUrl`      | `string` | --            | Authorization URL (required) |
-| `port`         | `number` | `0` (random)  | Local server port            |
-| `callbackPath` | `string` | `'/callback'` | Callback endpoint path       |
-| `timeout`      | `number` | `120_000`     | Timeout in milliseconds      |
+| Option          | Type                | Default   | Description                              |
+| --------------- | ------------------- | --------- | ---------------------------------------- |
+| `clientId`      | `string`            | --        | OAuth client ID (required)               |
+| `deviceAuthUrl` | `string`            | --        | Device authorization endpoint (required) |
+| `tokenUrl`      | `string`            | --        | Token endpoint (required)                |
+| `scopes`        | `readonly string[]` | `[]`      | OAuth scopes to request                  |
+| `pollInterval`  | `number`            | `5_000`   | Poll interval in milliseconds            |
+| `timeout`       | `number`            | `300_000` | Timeout in milliseconds                  |
+
+The device code flow handles RFC 8628 error codes: `authorization_pending` (continue polling), `slow_down` (increase interval), `expired_token` (return null), and `access_denied` (return null).
 
-The auth URL receives a `callback_url` query parameter pointing to the local server. The OAuth provider must POST a JSON body `{ "token": "<value>" }` to this URL on success.
+Supported by GitHub, Azure AD, and Google. Not supported by Clerk.
 
 ### `prompt` -- Interactive Password Input
 
@@ -197,7 +248,16 @@ cli({
   name: 'my-app',
   version: '1.0.0',
   middleware: [
-    auth({ resolvers: [{ source: 'oauth', authUrl: 'https://example.com/auth' }] }),
+    auth({
+      resolvers: [
+        {
+          source: 'oauth',
+          clientId: 'my-client-id',
+          authUrl: 'https://example.com/authorize',
+          tokenUrl: 'https://example.com/token',
+        },
+      ],
+    }),
     http({ baseUrl: 'https://api.example.com', namespace: 'api' }),
   ],
   commands: { login, repos },
@@ -206,6 +266,12 @@ cli({
 
 Header priority (lowest to highest): auth credential headers, default headers, per-request headers.
 
+## Resources
+
+- [RFC 7636 -- Proof Key for Code Exchange](https://tools.ietf.org/html/rfc7636)
+- [RFC 8252 -- OAuth 2.0 for Native Apps](https://tools.ietf.org/html/rfc8252)
+- [RFC 8628 -- Device Authorization Grant](https://tools.ietf.org/html/rfc8628)
+
 ## References
 
 - [kidd API Reference](../reference/kidd.md)
 
@@ -23,7 +23,12 @@ cli({
   middleware: [
     auth({
       resolvers: [
-        { source: 'oauth', authUrl: 'https://example.com/auth' },
+        {
+          source: 'oauth',
+          clientId: 'my-client-id',
+          authUrl: 'https://example.com/authorize',
+          tokenUrl: 'https://example.com/token',
+        },
         { source: 'prompt', message: 'Enter your API token:' },
       ],
     }),
@@ -97,7 +102,12 @@ cli({
   middleware: [
     auth({
       resolvers: [
-        { source: 'oauth', authUrl: 'https://example.com/auth' },
+        {
+          source: 'oauth',
+          clientId: 'my-client-id',
+          authUrl: 'https://example.com/authorize',
+          tokenUrl: 'https://example.com/token',
+        },
         { source: 'prompt', message: 'Enter your API token:' },
       ],
     }),
@@ -145,12 +155,12 @@ export default command({
       return
     }
 
-    ctx.output.table(
-      res.data.map((repo) => ({
-        Name: repo.name,
-        Private: repo.private ? 'yes' : 'no',
-      }))
-    )
+    const rows = res.data.map((repo) => ({
+      Name: repo.name,
+      Private: repo.private,
+    }))
+
+    ctx.output.table(rows)
   },
 })
 ```
@@ -164,13 +174,82 @@ auth({
   resolvers: [
     { source: 'env', tokenVar: 'MY_APP_TOKEN' },
     { source: 'dotenv' },
-    { source: 'oauth', authUrl: 'https://example.com/auth' },
+    {
+      source: 'oauth',
+      clientId: 'my-client-id',
+      authUrl: 'https://example.com/authorize',
+      tokenUrl: 'https://example.com/token',
+    },
     { source: 'prompt' },
   ],
 })
 ```
 
-Passive resolvers (`env`, `dotenv`, `file`) run automatically on middleware init. Interactive resolvers (`oauth`, `prompt`, `custom`) only run when `ctx.auth.authenticate()` is called.
+Passive resolvers (`env`, `dotenv`, `file`) run automatically on middleware init. Interactive resolvers (`oauth`, `device-code`, `prompt`, `custom`) only run when `ctx.auth.authenticate()` is called.
+
+### 7. Use PKCE with Clerk as the Identity Provider
+
+Configure the OAuth resolver to use Clerk as a public OAuth application with PKCE:
+
+```ts
+auth({
+  resolvers: [
+    {
+      source: 'oauth',
+      clientId: '<clerk-oauth-app-id>',
+      authUrl: 'https://<clerk-domain>/oauth/authorize',
+      tokenUrl: 'https://<clerk-domain>/oauth/token',
+      scopes: ['openid', 'profile', 'email'],
+    },
+  ],
+})
+```
+
+### 8. Use the device code flow for headless environments
+
+For environments without a browser (SSH sessions, remote servers), use the device code flow:
+
+```ts
+auth({
+  resolvers: [
+    {
+      source: 'device-code',
+      clientId: 'my-client-id',
+      deviceAuthUrl: 'https://github.com/login/device/code',
+      tokenUrl: 'https://github.com/login/oauth/access_token',
+      scopes: ['repo', 'read:user'],
+    },
+  ],
+})
+```
+
+The CLI displays a URL and a user code. The user opens the URL in any browser (including on a different device), enters the code, and completes authorization.
+
+### 9. Combine multiple resolvers
+
+Chain resolvers to support multiple authentication strategies:
+
+```ts
+auth({
+  resolvers: [
+    { source: 'env', tokenVar: 'MY_APP_TOKEN' },
+    { source: 'file' },
+    {
+      source: 'oauth',
+      clientId: 'my-client-id',
+      authUrl: 'https://example.com/authorize',
+      tokenUrl: 'https://example.com/token',
+    },
+    {
+      source: 'device-code',
+      clientId: 'my-client-id',
+      deviceAuthUrl: 'https://example.com/device/code',
+      tokenUrl: 'https://example.com/token',
+    },
+    { source: 'prompt' },
+  ],
+})
+```
 
 ## Verification
 
@@ -190,11 +269,23 @@ MY_APP_TOKEN=ghp_abc123 my-app repos
 
 ## Troubleshooting
 
-### OAuth callback never received
+### OAuth redirect not received
+
+**Issue:** The browser opens but the CLI hangs waiting for the redirect.
+
+**Fix:** Ensure the OAuth provider is configured to redirect to `http://127.0.0.1:<port>/callback` with `code` and `state` query parameters. Verify the `clientId` is correct and the application is configured as a public client with PKCE support. Check that no firewall is blocking the local port.
+
+### Token exchange fails
+
+**Issue:** The redirect is received but no credential is returned.
+
+**Fix:** Verify the `tokenUrl` is correct and accepts `application/x-www-form-urlencoded` POST requests. Ensure the OAuth provider accepts the `code_verifier` parameter for PKCE validation.
+
+### Device code flow times out
 
-**Issue:** The browser opens but the CLI hangs waiting for the callback.
+**Issue:** The CLI polls but never receives a token.
 
-**Fix:** Ensure the auth server sends a POST request to the `callback_url` query parameter with a JSON body `{ "token": "<value>" }`. Query-string tokens are not accepted. Check that no firewall is blocking the local port.
+**Fix:** Verify the `deviceAuthUrl` and `tokenUrl` are correct. Ensure the OAuth provider supports the Device Authorization Grant (RFC 8628). Clerk does not support this flow -- use the `oauth` resolver instead.
 
 ### Token not persisted after login
 
@@ -211,6 +302,9 @@ MY_APP_TOKEN=ghp_abc123 my-app repos
 ## Resources
 
 - [@clack/prompts](https://www.clack.cc)
+- [RFC 7636 -- PKCE](https://tools.ietf.org/html/rfc7636)
+- [RFC 8252 -- OAuth for Native Apps](https://tools.ietf.org/html/rfc8252)
+- [RFC 8628 -- Device Authorization Grant](https://tools.ietf.org/html/rfc8628)
 
 ## References
 
 
@@ -16,10 +16,12 @@ cli({
     auth({
       resolvers: [
         {
-          authUrl: 'http://localhost:3001/auth',
+          authUrl: 'http://localhost:3001/authorize',
+          clientId: 'demo-client',
           port: 0,
           source: 'oauth',
           timeout: 60_000,
+          tokenUrl: 'http://localhost:3001/token',
         },
         { message: 'Enter your API token (see README for valid tokens):', source: 'prompt' },
       ],