Cloud authentication for third party applications

With the basic and cookie auth soon to be deprecated, could someone advise me on what auth we could use to authenticate a user that has no admin privileges on their Jira instance and therefore cannot install any add-ons etc. Would they absolutely have to use api token instead of their password? It’s not the best user experience… we’ve reached out to Atlassian and we’ve been told that OAuth 2.0 is the way to go. But from reading docs on it I understand the user would have to setup authorisation grants for our app, but without being an admin that’s impossible.
What am I missing? Is there a way to allow a non-admin user to log in to our app like it was possible with cookie and basic auth?