The process for getting user credentials is designed for other frontend applications that can use OIDC flow. That does not work for command-line tools.
Tools provides an alternative flow to support non-OIDC applications. The
process involves a browser and a redirect flow that finishes at a URL pointing
to a local server, containing Taskcluster credentials. For command-line tools,
this is a small webserver running within the tool itself. The tool itself
requests that the user either create a new client or reset the
for an existing client.
The tool should open a new browser window with a URL with prefix
https://tools.taskcluster.net/auth/clients/new and the following URL-encoded
name-- name suffix for the client
description-- description of the client
scope(can be repeated) -- scopes the new client will need
expires-- time until the new client expires
callback_url-- URL to which the resulting credentials will be sent
name should be the same from one invocation to the next by the same tool,
allowing the user to re-use an existing client of the same name. The
will be created by appending the
name to a prefix where the user has
permission to create clients. The
description will become the description of
the newly-created user.
scope parameter can be specified multiple times, and allows the creation
of a client with only the required scopes -- a good security practice. The
resulting client's scopes are the intersection of the user's scopes and the
scope parameters. For example, a tool for administering the hooks service
expires parameter specifies a lifetime for the resulting clientId, in a
format defined by taskcluster-client's
?expires=3h would result in credentials expiring in 3 hours.
callback_url is the URL to which the user's browser should be
redirected with the resulting client. It is called with the URL-encoded query
accessToken. When this URL is accessed, the
command-line tool should respond with some simple HTML for the browser to
display, then extract the credentials from the URL and use them as desired.