PKCE vs Device Flow: Which OAuth flow is best for CLI auth?

When designing command-line interfaces (CLIs), choosing between Authorization Code with PKCE and OAuth 2.0 Device Authorization Grant is crucial for handling authentication, as both delegate it to a browser and yield OAuth access and refresh tokens. PKCE, suited for native apps and CLIs running on the user's machine, involves setting up a loopback server and is favored for its security, particularly against phishing attacks, as it requires a local browser to complete the flow. On the other hand, the Device Code flow, ideal for environments without a local browser like SSH sessions and containers, involves polling and is more vulnerable to phishing, prompting some enterprises like Microsoft to block it. The recommendation for CLIs, especially those used in enterprise environments, is to support both methods: default to PKCE for its enhanced security while keeping the Device Code flow available as a fallback through an explicit flag. This dual-approach ensures compatibility and maintains security standards across various use cases and environments.