Login via OAuth

[anbraten]

As the future preferred authentication method of atprotocol is going to be oauth Nimbus should probably follow this:

• https://atproto.com/specs/oauth
• https://docs.bsky.app/docs/advanced-guides/oauth-client
• https://docs.bsky.app/blog/oauth-atproto
• https://github.com/bluesky-social/atproto/blob/main/packages/api/OAUTH.md
• OAuth Roadmap bluesky-social/atproto#2656

Implementation references

One of the best reference implementations of the rather new spec seems to be:

• https://github.com/bluesky-social/ozone/blob/bd289bc9ff864d5cc4c3c73246000f6a05cbac2a/components/shell/auth/oauth/useOAuth.ts#L28
• https://github.com/bluesky-social/ozone/blob/bd289bc9ff864d5cc4c3c73246000f6a05cbac2a/components/shell/AuthContext.tsx#L45

Open questions

• Should the client or the server do the flow? (seems like in elk the server was doing it, are there any reasons for that?)
• How does it work with multiple servers?
• How does it work with multiple handles?

[mary-ext]

My recommendation would probably be to go through with app passwords for now as we wait for OAuth to stabilize, while keeping an easy migration path to it. I've seen a decent amount of folks getting confused over logins, mainly because app passwords is still the norm.