[Feature] OAuth 2.0 Device Authorization Grant (RFC 8628) for CLI/headless authentication

[clouatre]

Is your feature request related to a problem? Please describe.

CLI tools and headless applications cannot use browser-based OAuth flows. Users must manually copy-paste API keys from La Plateforme dashboard, which is error-prone and breaks the developer flow.

I'm building a Rust CLI for OSS contribution triage that needs Mistral API access. With the rise of AI-powered CLI tools (Claude Code, Codex, Block Goose, Mistral Vibe, etc.), there's growing demand for seamless CLI authentication without manual token handling.

Describe the solution you'd like

Implement OAuth 2.0 Device Authorization Grant (RFC 8628):

1. CLI calls POST /oauth/device/code with client_id and optional scope
2. Mistral returns device_code, user_code, verification_uri, expires_in, interval
3. CLI displays: "Visit https://console.mistral.ai/device and enter code: XXXX-XXXX"
4. CLI polls POST /oauth/device/token with device_code (respecting interval)
5. User authorizes in browser
6. Mistral returns access_token and optional refresh_token

Proposed Python API:

from mistralai import Mistral

# Device flow authentication
client = Mistral.device_login()  # "Visit https://console.mistral.ai/device and enter code: XXXX-XXXX"

Describe alternatives you've considered

• Current flow: Requires manual API key copy-paste from La Plateforme dashboard
• Environment variables: Works but requires users to manage token lifecycle manually
• Config files: Static credentials, no rotation or revocation

Additional context

Prior art:

• GitHub: https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#device-flow
• Google: https://developers.google.com/identity/protocols/oauth2/limited-input-device
• AWS CLI: aws sso login --use-device-code

Use cases:

• Mistral Vibe (dog-fooding opportunity for your own tool!)
• Third-party Rust/Go/Python CLI tools
• SSH sessions without browser access
• Desktop apps without embedded browser
• Initial authentication for AI coding assistants

Strategic timing: Mistral already has a CLI tool (Mistral Vibe). Implementing device flow would benefit Vibe directly and demonstrate commitment to developer experience for the CLI ecosystem.

Suggested token design (following GitHub's approach):

• Access tokens: Long-lived or configurable expiry
• Scopes: Supported via scope parameter in initial /device/code request
• Refresh tokens: Optional for short-lived token rotation