From e08f92d19baac8d8b46948f4a0bdfcd8f25d83c9 Mon Sep 17 00:00:00 2001
From: Will Vedder <will.vedder@okta.com>
Date: Tue, 6 Dec 2022 15:05:34 -0500
Subject: [PATCH 1/8] Consolidating Manage configured tenants.

Usage:
  auth0 tenants <operation> [parameters...] [flags]

Available Operations:
  use         Set the active tenant
  list        List your tenants [ls]
  open        Open tenant settings page in the Auth0 Dashboard

Flags:
  -h, --help   help for tenants

Global Flags:
      --debug           Enable debug mode.
      --json            Output in json format.
      --no-color        Disable colors.
      --no-input        Disable interactivity.
      --tenant string   Specific tenant to use. (default "auth0-cli-integration-tests.us.auth0.com")

Use "auth0 tenants [command] --help" for more information about a command. into
---
 internal/cli/login.go            | 1 +
 test/integration/test-cases.yaml | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/internal/cli/login.go b/internal/cli/login.go
index 23c5693bf..7be564b1c 100644
--- a/internal/cli/login.go
+++ b/internal/cli/login.go
@@ -71,6 +71,7 @@ auth0 login --domain <tenant-domain> --client-id <client-id> --client-secret <cl
 				}
 			}
 
+			cli.renderer.Infof("Successfully authenticated to %s", inputs.Domain)
 			cli.tracker.TrackCommandRun(cmd, cli.config.InstallID)
 
 			return nil
diff --git a/test/integration/test-cases.yaml b/test/integration/test-cases.yaml
index 8457936a6..cca704b62 100644
--- a/test/integration/test-cases.yaml
+++ b/test/integration/test-cases.yaml
@@ -2,6 +2,11 @@ config:
   inherit-env: true
 
 tests:
+  login as machine:
+    command: auth0 logout $AUTH0_CLI_CLIENT_DOMAIN; auth0 login --as-machine --client-id $AUTH0_CLI_CLIENT_ID --client-secret $AUTH0_CLI_CLIENT_SECRET --domain $AUTH0_CLI_CLIENT_DOMAIN
+    stderr: "Successfully authenticated to"
+    exit-code: 0
+
   auth0 apis list:
     exit-code: 0
 

From 000187472ae1a4d8d313adfc10ad79088bc4a57f Mon Sep 17 00:00:00 2001
From: Will Vedder <will.vedder@okta.com>
Date: Tue, 6 Dec 2022 16:12:08 -0500
Subject: [PATCH 2/8] Cleaning up messaging

---
 internal/cli/cli.go   | 15 ++++++++++-----
 internal/cli/login.go | 26 ++++++++------------------
 2 files changed, 18 insertions(+), 23 deletions(-)

diff --git a/internal/cli/cli.go b/internal/cli/cli.go
index 927d7223c..acf8c6104 100644
--- a/internal/cli/cli.go
+++ b/internal/cli/cli.go
@@ -207,18 +207,23 @@ func (c *cli) prepareTenant(ctx context.Context) (Tenant, error) {
 		return Tenant{}, err
 	}
 
-	if t.AccessToken == "" || (scopesChanged(t) && t.authenticatedWithDeviceCodeFlow()) {
-		return RunLoginAsUser(ctx, c, true)
+	if scopesChanged(t) && t.authenticatedWithDeviceCodeFlow() {
+		c.renderer.Warnf("Required scopes have changed. Please sign in to re-authorize the CLI.")
+		return RunLoginAsUser(ctx, c)
 	}
 
-	if !t.hasExpiredToken() {
+	if t.AccessToken != "" && !t.hasExpiredToken() {
 		return t, nil
 	}
 
 	if err := t.regenerateAccessToken(ctx, c); err != nil {
 		// Ask and guide the user through the login process.
-		c.renderer.Errorf("failed to renew access token, %s", err)
-		return RunLoginAsUser(ctx, c, true)
+		if t.authenticatedWithDeviceCodeFlow() {
+			c.renderer.Warnf("Failed to renew access token. Please sign in to re-authenticate the CLI.")
+			return RunLoginAsUser(ctx, c)
+		}
+
+		return t, fmt.Errorf("Failed to renew access token. This may occur if the designated application has been deleted or client secret has been rotated. Please re-authenticate by running `auth0 login --as-machine`")
 	}
 
 	if err := c.addTenant(t); err != nil {
diff --git a/internal/cli/login.go b/internal/cli/login.go
index 7be564b1c..12ef40d5a 100644
--- a/internal/cli/login.go
+++ b/internal/cli/login.go
@@ -66,7 +66,12 @@ auth0 login --domain <tenant-domain> --client-id <client-id> --client-secret <cl
 					return err
 				}
 			} else {
-				if _, err := RunLoginAsUser(ctx, cli, false); err != nil {
+				cli.renderer.Output(fmt.Sprintf(
+					"%s\n\n%s\n\n",
+					"✪ Welcome to the Auth0 CLI 🎊",
+					"If you don't have an account, please create one here: https://auth0.com/signup.",
+				))
+				if _, err := RunLoginAsUser(ctx, cli); err != nil {
 					return err
 				}
 			}
@@ -95,28 +100,13 @@ auth0 login --domain <tenant-domain> --client-id <client-id> --client-secret <cl
 
 // RunLoginAsUser runs the login flow guiding the user through the process
 // by showing the login instructions, opening the browser.
-// Use `expired` to run the login from other commands setup:
-// this will only affect the messages.
-func RunLoginAsUser(ctx context.Context, cli *cli, expired bool) (Tenant, error) {
-	message := fmt.Sprintf(
-		"%s\n\n%s\n\n",
-		"✪ Welcome to the Auth0 CLI 🎊",
-		"If you don't have an account, please create one here: https://auth0.com/signup.",
-	)
-
-	if expired {
-		message = "Please sign in to re-authorize the CLI."
-		cli.renderer.Warnf(message)
-	} else {
-		cli.renderer.Output(message)
-	}
-
+func RunLoginAsUser(ctx context.Context, cli *cli) (Tenant, error) {
 	state, err := cli.authenticator.Start(ctx)
 	if err != nil {
 		return Tenant{}, fmt.Errorf("Failed to start the authentication process: %w.", err)
 	}
 
-	message = fmt.Sprintf("Your device confirmation code is: %s\n\n", ansi.Bold(state.UserCode))
+	message := fmt.Sprintf("Your device confirmation code is: %s\n\n", ansi.Bold(state.UserCode))
 	cli.renderer.Output(message)
 
 	if cli.noInput {

From abaf51e66bcc9fdbc45d520eab7804923e63e6b1 Mon Sep 17 00:00:00 2001
From: Will Vedder <will.vedder@okta.com>
Date: Tue, 6 Dec 2022 16:49:40 -0500
Subject: [PATCH 3/8] Minor changes

---
 internal/auth/token.go | 10 ++++++----
 internal/cli/cli.go    | 10 +++++-----
 internal/cli/login.go  |  5 +++--
 3 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/internal/auth/token.go b/internal/auth/token.go
index 122b5b137..7cd964d80 100644
--- a/internal/auth/token.go
+++ b/internal/auth/token.go
@@ -32,10 +32,12 @@ func (t *TokenRetriever) Delete(tenant string) error {
 // The request is used the default client_id and endpoint for device authentication.
 func (t *TokenRetriever) Refresh(ctx context.Context, tenant string) (TokenResponse, error) {
 	// get stored refresh token:
-	refreshToken, err := t.Secrets.Get(SecretsNamespace, tenant)
-	if err != nil {
-		return TokenResponse{}, fmt.Errorf("cannot get the stored refresh token: %w", err)
-	}
+	// refreshToken, err := t.Secrets.Get(SecretsNamespace, tenant)
+	// if err != nil {
+	// 	return TokenResponse{}, fmt.Errorf("cannot get the stored refresh token: %w", err)
+	// }
+
+	refreshToken := "fadsfasdf"
 	if refreshToken == "" {
 		return TokenResponse{}, errors.New("cannot use the stored refresh token: the token is empty")
 	}
diff --git a/internal/cli/cli.go b/internal/cli/cli.go
index acf8c6104..9b0f63813 100644
--- a/internal/cli/cli.go
+++ b/internal/cli/cli.go
@@ -217,13 +217,13 @@ func (c *cli) prepareTenant(ctx context.Context) (Tenant, error) {
 	}
 
 	if err := t.regenerateAccessToken(ctx, c); err != nil {
-		// Ask and guide the user through the login process.
-		if t.authenticatedWithDeviceCodeFlow() {
-			c.renderer.Warnf("Failed to renew access token. Please sign in to re-authenticate the CLI.")
-			return RunLoginAsUser(ctx, c)
+		if t.authenticatedWithClientCredentials() {
+			return t, fmt.Errorf("Failed to renew access token. This may occur if the designated application has been deleted or client secret has been rotated. Please re-authenticate by running `auth0 login --as-machine`")
 		}
 
-		return t, fmt.Errorf("Failed to renew access token. This may occur if the designated application has been deleted or client secret has been rotated. Please re-authenticate by running `auth0 login --as-machine`")
+		c.renderer.Warnf("Failed to renew access token. Please sign in to re-authenticate the CLI.")
+		return RunLoginAsUser(ctx, c)
+
 	}
 
 	if err := c.addTenant(t); err != nil {
diff --git a/internal/cli/login.go b/internal/cli/login.go
index 12ef40d5a..f1a8a2360 100644
--- a/internal/cli/login.go
+++ b/internal/cli/login.go
@@ -66,11 +66,12 @@ auth0 login --domain <tenant-domain> --client-id <client-id> --client-secret <cl
 					return err
 				}
 			} else {
-				cli.renderer.Output(fmt.Sprintf(
+				welcomeMessage := fmt.Sprintf(
 					"%s\n\n%s\n\n",
 					"✪ Welcome to the Auth0 CLI 🎊",
 					"If you don't have an account, please create one here: https://auth0.com/signup.",
-				))
+				)
+				cli.renderer.Output(welcomeMessage)
 				if _, err := RunLoginAsUser(ctx, cli); err != nil {
 					return err
 				}

From a0a35bf1976da1299a96cdcd6e03f06de431e925 Mon Sep 17 00:00:00 2001
From: Will Vedder <will.vedder@okta.com>
Date: Tue, 6 Dec 2022 16:50:31 -0500
Subject: [PATCH 4/8] Reverting erroneous change

---
 internal/auth/token.go | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/internal/auth/token.go b/internal/auth/token.go
index 7cd964d80..122b5b137 100644
--- a/internal/auth/token.go
+++ b/internal/auth/token.go
@@ -32,12 +32,10 @@ func (t *TokenRetriever) Delete(tenant string) error {
 // The request is used the default client_id and endpoint for device authentication.
 func (t *TokenRetriever) Refresh(ctx context.Context, tenant string) (TokenResponse, error) {
 	// get stored refresh token:
-	// refreshToken, err := t.Secrets.Get(SecretsNamespace, tenant)
-	// if err != nil {
-	// 	return TokenResponse{}, fmt.Errorf("cannot get the stored refresh token: %w", err)
-	// }
-
-	refreshToken := "fadsfasdf"
+	refreshToken, err := t.Secrets.Get(SecretsNamespace, tenant)
+	if err != nil {
+		return TokenResponse{}, fmt.Errorf("cannot get the stored refresh token: %w", err)
+	}
 	if refreshToken == "" {
 		return TokenResponse{}, errors.New("cannot use the stored refresh token: the token is empty")
 	}

From f914c25727183802bdc61fed4a3cadd4fa088690 Mon Sep 17 00:00:00 2001
From: Will Vedder <will.vedder@okta.com>
Date: Wed, 7 Dec 2022 12:16:34 -0500
Subject: [PATCH 5/8] Removing --as-machine flag

---
 test/integration/test-cases.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/integration/test-cases.yaml b/test/integration/test-cases.yaml
index cca704b62..e0bd30e39 100644
--- a/test/integration/test-cases.yaml
+++ b/test/integration/test-cases.yaml
@@ -3,7 +3,7 @@ config:
 
 tests:
   login as machine:
-    command: auth0 logout $AUTH0_CLI_CLIENT_DOMAIN; auth0 login --as-machine --client-id $AUTH0_CLI_CLIENT_ID --client-secret $AUTH0_CLI_CLIENT_SECRET --domain $AUTH0_CLI_CLIENT_DOMAIN
+    command: auth0 logout $AUTH0_CLI_CLIENT_DOMAIN; auth0 login --client-id $AUTH0_CLI_CLIENT_ID --client-secret $AUTH0_CLI_CLIENT_SECRET --domain $AUTH0_CLI_CLIENT_DOMAIN
     stderr: "Successfully authenticated to"
     exit-code: 0
 

From 3daf9df6a246a2743d42537016de563f87b134e2 Mon Sep 17 00:00:00 2001
From: Will Vedder <willvedd@gmail.com>
Date: Wed, 7 Dec 2022 15:37:07 -0500
Subject: [PATCH 6/8] Update internal/cli/cli.go

Co-authored-by: Rita Zerrizuela <zeta@widcket.com>
---
 internal/cli/cli.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/cli/cli.go b/internal/cli/cli.go
index 9b0f63813..e39bcb15d 100644
--- a/internal/cli/cli.go
+++ b/internal/cli/cli.go
@@ -208,7 +208,7 @@ func (c *cli) prepareTenant(ctx context.Context) (Tenant, error) {
 	}
 
 	if scopesChanged(t) && t.authenticatedWithDeviceCodeFlow() {
-		c.renderer.Warnf("Required scopes have changed. Please sign in to re-authorize the CLI.")
+		c.renderer.Warnf("Required scopes have changed. Please log in to re-authorize the CLI.")
 		return RunLoginAsUser(ctx, c)
 	}
 

From 8eaccd6850a1b0dfddb1eea58864f135f55ed44a Mon Sep 17 00:00:00 2001
From: Will Vedder <willvedd@gmail.com>
Date: Wed, 7 Dec 2022 15:37:16 -0500
Subject: [PATCH 7/8] Update internal/cli/cli.go

Co-authored-by: Rita Zerrizuela <zeta@widcket.com>
---
 internal/cli/cli.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/cli/cli.go b/internal/cli/cli.go
index e39bcb15d..51c5e55ac 100644
--- a/internal/cli/cli.go
+++ b/internal/cli/cli.go
@@ -221,7 +221,7 @@ func (c *cli) prepareTenant(ctx context.Context) (Tenant, error) {
 			return t, fmt.Errorf("Failed to renew access token. This may occur if the designated application has been deleted or client secret has been rotated. Please re-authenticate by running `auth0 login --as-machine`")
 		}
 
-		c.renderer.Warnf("Failed to renew access token. Please sign in to re-authenticate the CLI.")
+		c.renderer.Warnf("Failed to renew access token. Please log in to re-authorize the CLI.")
 		return RunLoginAsUser(ctx, c)
 
 	}

From 4f2c5df6da7c9c2250c33f73193fc2efecf69bb6 Mon Sep 17 00:00:00 2001
From: Sergiu Ghitea <sergiu.ghitea@okta.com>
Date: Fri, 9 Dec 2022 17:12:45 +0100
Subject: [PATCH 8/8] Apply some improvements to the login mechanism

---
 internal/auth/auth.go            |  4 ++--
 internal/cli/cli.go              | 27 ++++++++++++++++++---------
 internal/cli/login.go            | 19 +++++++++++--------
 test/integration/test-cases.yaml |  5 -----
 4 files changed, 31 insertions(+), 24 deletions(-)

diff --git a/internal/auth/auth.go b/internal/auth/auth.go
index 2a61fdc1b..9955fe8e3 100644
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -288,7 +288,7 @@ type ClientCredentials struct {
 }
 
 // GetAccessTokenFromClientCreds generates an access token from client credentials
-func GetAccessTokenFromClientCreds(args ClientCredentials) (Result, error) {
+func GetAccessTokenFromClientCreds(ctx context.Context, args ClientCredentials) (Result, error) {
 	u, err := url.Parse("https://" + args.Domain)
 	if err != nil {
 		return Result{}, err
@@ -305,7 +305,7 @@ func GetAccessTokenFromClientCreds(args ClientCredentials) (Result, error) {
 		},
 	}
 
-	resp, err := credsConfig.Token(context.Background())
+	resp, err := credsConfig.Token(ctx)
 	if err != nil {
 		return Result{}, err
 	}
diff --git a/internal/cli/cli.go b/internal/cli/cli.go
index 51c5e55ac..c98224b15 100644
--- a/internal/cli/cli.go
+++ b/internal/cli/cli.go
@@ -21,6 +21,7 @@ import (
 	"github.com/spf13/pflag"
 
 	"github.com/auth0/auth0-cli/internal/analytics"
+	"github.com/auth0/auth0-cli/internal/ansi"
 	"github.com/auth0/auth0-cli/internal/auth"
 	"github.com/auth0/auth0-cli/internal/auth0"
 	"github.com/auth0/auth0-cli/internal/buildinfo"
@@ -109,11 +110,14 @@ func (t *Tenant) hasExpiredToken() bool {
 
 func (t *Tenant) regenerateAccessToken(ctx context.Context, c *cli) error {
 	if t.authenticatedWithClientCredentials() {
-		token, err := auth.GetAccessTokenFromClientCreds(auth.ClientCredentials{
-			ClientID:     t.ClientID,
-			ClientSecret: t.ClientSecret,
-			Domain:       t.Domain,
-		})
+		token, err := auth.GetAccessTokenFromClientCreds(
+			ctx,
+			auth.ClientCredentials{
+				ClientID:     t.ClientID,
+				ClientSecret: t.ClientSecret,
+				Domain:       t.Domain,
+			},
+		)
 		if err != nil {
 			return err
 		}
@@ -208,7 +212,7 @@ func (c *cli) prepareTenant(ctx context.Context) (Tenant, error) {
 	}
 
 	if scopesChanged(t) && t.authenticatedWithDeviceCodeFlow() {
-		c.renderer.Warnf("Required scopes have changed. Please log in to re-authorize the CLI.")
+		c.renderer.Warnf("Required scopes have changed. Please log in to re-authorize the CLI.\n")
 		return RunLoginAsUser(ctx, c)
 	}
 
@@ -218,12 +222,17 @@ func (c *cli) prepareTenant(ctx context.Context) (Tenant, error) {
 
 	if err := t.regenerateAccessToken(ctx, c); err != nil {
 		if t.authenticatedWithClientCredentials() {
-			return t, fmt.Errorf("Failed to renew access token. This may occur if the designated application has been deleted or client secret has been rotated. Please re-authenticate by running `auth0 login --as-machine`")
+			return t, fmt.Errorf(
+				"failed to fetch access token using client credentials.\n\n"+
+					"This may occur if the designated application has been deleted or the client secret has been rotated.\n\n"+
+					"Please re-authenticate by running: %s",
+				ansi.Bold("auth0 login --domain <tenant-domain --client-id <client-id> --client-secret <client-secret>"),
+			)
 		}
 
-		c.renderer.Warnf("Failed to renew access token. Please log in to re-authorize the CLI.")
-		return RunLoginAsUser(ctx, c)
+		c.renderer.Warnf("Failed to renew access token. Please log in to re-authorize the CLI.\n")
 
+		return RunLoginAsUser(ctx, c)
 	}
 
 	if err := c.addTenant(t); err != nil {
diff --git a/internal/cli/login.go b/internal/cli/login.go
index f1a8a2360..60a013a4b 100644
--- a/internal/cli/login.go
+++ b/internal/cli/login.go
@@ -77,7 +77,6 @@ auth0 login --domain <tenant-domain> --client-id <client-id> --client-secret <cl
 				}
 			}
 
-			cli.renderer.Infof("Successfully authenticated to %s", inputs.Domain)
 			cli.tracker.TrackCommandRun(cmd, cli.config.InstallID)
 
 			return nil
@@ -92,7 +91,6 @@ auth0 login --domain <tenant-domain> --client-id <client-id> --client-secret <cl
 	cmd.SetHelpFunc(func(cmd *cobra.Command, args []string) {
 		_ = cmd.Flags().MarkHidden("tenant")
 		_ = cmd.Flags().MarkHidden("json")
-		_ = cmd.Flags().MarkHidden("no-input")
 		cmd.Parent().HelpFunc()(cmd, args)
 	})
 
@@ -201,13 +199,18 @@ func RunLoginAsMachine(ctx context.Context, inputs LoginInputs, cli *cli, cmd *c
 		return err
 	}
 
-	token, err := auth.GetAccessTokenFromClientCreds(auth.ClientCredentials{
-		ClientID:     inputs.ClientID,
-		ClientSecret: inputs.ClientSecret,
-		Domain:       inputs.Domain,
-	})
+	token, err := auth.GetAccessTokenFromClientCreds(
+		ctx,
+		auth.ClientCredentials{
+			ClientID:     inputs.ClientID,
+			ClientSecret: inputs.ClientSecret,
+			Domain:       inputs.Domain,
+		},
+	)
 	if err != nil {
-		return err
+		return fmt.Errorf(
+			"failed to fetch access token using client credentials. \n\n"+
+				"Ensure that the provided client-id, client-secret and domain are correct. \n\nerror: %w\n", err)
 	}
 
 	t := Tenant{
diff --git a/test/integration/test-cases.yaml b/test/integration/test-cases.yaml
index e0bd30e39..8457936a6 100644
--- a/test/integration/test-cases.yaml
+++ b/test/integration/test-cases.yaml
@@ -2,11 +2,6 @@ config:
   inherit-env: true
 
 tests:
-  login as machine:
-    command: auth0 logout $AUTH0_CLI_CLIENT_DOMAIN; auth0 login --client-id $AUTH0_CLI_CLIENT_ID --client-secret $AUTH0_CLI_CLIENT_SECRET --domain $AUTH0_CLI_CLIENT_DOMAIN
-    stderr: "Successfully authenticated to"
-    exit-code: 0
-
   auth0 apis list:
     exit-code: 0