@kylecarbs and I (Bryan) discussed the implementation for this a bit - we were considering either the same flow as in v1, or an alternative 'paste-less' flow.

next / Vercel has a really cool paste-less flow that looks like this:

• cli starts a localhost server (ie, http://localhost:53080/
• cli opens a brower that is sent to https://vercel.com/api/login-github?next=http://localhost:53080
• browser redirects to github.com/login/oauth/authorize?client_id=...state=...
• login completes, browser redirects to https://vercel.com/api/now/github-callback?code=...s&state=...
• That page redirects to http://localhost:53080/email=...&username=...&token=...
• CLI realizes the flow is complete, grabs the token!

Browser redirects to https://vercel.com/cli-login-success and tells the user browser can be closed

However, we realized this is problematic in some environments - like using coder over SSH, because the local server being hosted wouldn't be available on the host machine, and the redirect flow would be busted.

So our plan is to stick with the same strategy of v1:

• Send the user to a special page that presents the session token via copy/paste
• Have the user enter it in the CLI directly