We should provide a CLI tool allowing users to retrieve their OpenID Connect access and refresh tokens easily. For instance:
$ swh authenticate -u <username> -p <password> <JSON dump of tokens>
This tool should only send requests to the Keycloak server as we do not want credentials to transit in any swh web applications.
As the main usage of that tool will be to generate bearer tokens to authenticate an user querying the Software Heritage Web API,
providing OIDC offline access seems the best option here.
With offline access, OIDC refresh token has a much longer expiration time (60 days by default in Keycloak with 30 days idle time,
can be easily changed). It means the refresh token can be stored by an user and reused to get a new access token without having
to login again, which is pretty convenient for web api clients.