implement RFC 8628: Device authorization grant

2023-03-01 09:59:17 +02:00 · 2023-03-01 09:59:17 +02:00 · 2342f208ef
commit 2342f208ef
parent 03f71a67c2
29 changed files with 1968 additions and 97 deletions
--- a/pkg/client/client.go
+++ b/pkg/client/client.go
@ -1,6 +1,8 @@
 package client

 import (
+	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
@ -186,3 +188,94 @@ func SignedJWTProfileAssertion(clientID string, audience []string, expiration ti
 		IssuedAt:  oidc.Time(iat),
 	}, signer)
 }
+
+type DeviceAuthorizationCaller interface {
+	GetDeviceAuthorizationEndpoint() string
+	HttpClient() *http.Client
+}
+
+func CallDeviceAuthorizationEndpoint(request *oidc.ClientCredentialsRequest, caller DeviceAuthorizationCaller) (*oidc.DeviceAuthorizationResponse, error) {
+	req, err := httphelper.FormRequest(caller.GetDeviceAuthorizationEndpoint(), request, Encoder, nil)
+	if err != nil {
+		return nil, err
+	}
+	if request.ClientSecret != "" {
+		req.SetBasicAuth(request.ClientID, request.ClientSecret)
+	}
+
+	resp := new(oidc.DeviceAuthorizationResponse)
+	if err := httphelper.HttpRequest(caller.HttpClient(), req, &resp); err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+type DeviceAccessTokenRequest struct {
+	*oidc.ClientCredentialsRequest
+	oidc.DeviceAccessTokenRequest
+}
+
+func CallDeviceAccessTokenEndpoint(ctx context.Context, request *DeviceAccessTokenRequest, caller TokenEndpointCaller) (*oidc.AccessTokenResponse, error) {
+	req, err := httphelper.FormRequest(caller.TokenEndpoint(), request, Encoder, nil)
+	if err != nil {
+		return nil, err
+	}
+	if request.ClientSecret != "" {
+		req.SetBasicAuth(request.ClientID, request.ClientSecret)
+	}
+
+	httpResp, err := caller.HttpClient().Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer httpResp.Body.Close()
+
+	resp := new(struct {
+		*oidc.AccessTokenResponse
+		*oidc.Error
+	})
+	if err = json.NewDecoder(httpResp.Body).Decode(resp); err != nil {
+		return nil, err
+	}
+
+	if httpResp.StatusCode == http.StatusOK {
+		return resp.AccessTokenResponse, nil
+	}
+
+	return nil, resp.Error
+}
+
+func PollDeviceAccessTokenEndpoint(ctx context.Context, interval time.Duration, request *DeviceAccessTokenRequest, caller TokenEndpointCaller) (*oidc.AccessTokenResponse, error) {
+	for {
+		timer := time.After(interval)
+		select {
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		case <-timer:
+		}
+
+		ctx, cancel := context.WithTimeout(ctx, interval)
+		defer cancel()
+
+		resp, err := CallDeviceAccessTokenEndpoint(ctx, request, caller)
+		if err == nil {
+			return resp, nil
+		}
+		if errors.Is(err, context.DeadlineExceeded) {
+			interval += 5 * time.Second
+		}
+		var target *oidc.Error
+		if !errors.As(err, &target) {
+			return nil, err
+		}
+		switch target.ErrorType {
+		case oidc.AuthorizationPending:
+			continue
+		case oidc.SlowDown:
+			interval += 5 * time.Second
+			continue
+		default:
+			return nil, err
+		}
+	}
+}
--- a/pkg/client/rp/device.go
+++ b/pkg/client/rp/device.go
@ -0,0 +1,62 @@
+package rp
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/zitadel/oidc/v2/pkg/client"
+	"github.com/zitadel/oidc/v2/pkg/oidc"
+)
+
+func newDeviceClientCredentialsRequest(scopes []string, rp RelyingParty) (*oidc.ClientCredentialsRequest, error) {
+	confg := rp.OAuthConfig()
+	req := &oidc.ClientCredentialsRequest{
+		GrantType:    oidc.GrantTypeDeviceCode,
+		Scope:        scopes,
+		ClientID:     confg.ClientID,
+		ClientSecret: confg.ClientSecret,
+	}
+
+	if signer := rp.Signer(); signer != nil {
+		assertion, err := client.SignedJWTProfileAssertion(rp.OAuthConfig().ClientID, []string{rp.Issuer()}, time.Hour, signer)
+		if err != nil {
+			return nil, fmt.Errorf("failed to build assertion: %w", err)
+		}
+		req.ClientAssertion = assertion
+		req.ClientAssertionType = oidc.ClientAssertionTypeJWTAssertion
+	}
+
+	return req, nil
+}
+
+// DeviceAuthorization starts a new Device Authorization flow as defined
+// in RFC 8628, section 3.1 and 3.2:
+// https://www.rfc-editor.org/rfc/rfc8628#section-3.1
+func DeviceAuthorization(scopes []string, rp RelyingParty) (*oidc.DeviceAuthorizationResponse, error) {
+	req, err := newDeviceClientCredentialsRequest(scopes, rp)
+	if err != nil {
+		return nil, err
+	}
+
+	return client.CallDeviceAuthorizationEndpoint(req, rp)
+}
+
+// DeviceAccessToken attempts to obtain tokens from a Device Authorization,
+// by means of polling as defined in RFC, section 3.3 and 3.4:
+// https://www.rfc-editor.org/rfc/rfc8628#section-3.4
+func DeviceAccessToken(ctx context.Context, deviceCode string, interval time.Duration, rp RelyingParty) (resp *oidc.AccessTokenResponse, err error) {
+	req := &client.DeviceAccessTokenRequest{
+		DeviceAccessTokenRequest: oidc.DeviceAccessTokenRequest{
+			GrantType:  oidc.GrantTypeDeviceCode,
+			DeviceCode: deviceCode,
+		},
+	}
+
+	req.ClientCredentialsRequest, err = newDeviceClientCredentialsRequest(nil, rp)
+	if err != nil {
+		return nil, err
+	}
+
+	return client.PollDeviceAccessTokenEndpoint(ctx, interval, req, tokenEndpointCaller{rp})
+}
--- a/pkg/client/rp/relying_party.go
+++ b/pkg/client/rp/relying_party.go
@ -59,6 +59,10 @@ type RelyingParty interface {
 	// UserinfoEndpoint returns the userinfo
 	UserinfoEndpoint() string

+	// GetDeviceAuthorizationEndpoint returns the enpoint which can
+	// be used to start a DeviceAuthorization flow.
+	GetDeviceAuthorizationEndpoint() string
+
 	// IDTokenVerifier returns the verifier interface used for oidc id_token verification
 	IDTokenVerifier() IDTokenVerifier
 	// ErrorHandler returns the handler used for callback errors
@ -121,6 +125,10 @@ func (rp *relyingParty) UserinfoEndpoint() string {
 	return rp.endpoints.UserinfoURL
 }

+func (rp *relyingParty) GetDeviceAuthorizationEndpoint() string {
+	return rp.endpoints.DeviceAuthorizationURL
+}
+
 func (rp *relyingParty) GetEndSessionEndpoint() string {
 	return rp.endpoints.EndSessionURL
 }
@ -495,11 +503,12 @@ type OptionFunc func(RelyingParty)

 type Endpoints struct {
 	oauth2.Endpoint
-	IntrospectURL string
-	UserinfoURL   string
-	JKWsURL       string
-	EndSessionURL string
-	RevokeURL     string
+	IntrospectURL          string
+	UserinfoURL            string
+	JKWsURL                string
+	EndSessionURL          string
+	RevokeURL              string
+	DeviceAuthorizationURL string
 }

 func GetEndpoints(discoveryConfig *oidc.DiscoveryConfiguration) Endpoints {
@ -509,11 +518,12 @@ func GetEndpoints(discoveryConfig *oidc.DiscoveryConfiguration) Endpoints {
 			AuthStyle: oauth2.AuthStyleAutoDetect,
 			TokenURL:  discoveryConfig.TokenEndpoint,
 		},
-		IntrospectURL: discoveryConfig.IntrospectionEndpoint,
-		UserinfoURL:   discoveryConfig.UserinfoEndpoint,
-		JKWsURL:       discoveryConfig.JwksURI,
-		EndSessionURL: discoveryConfig.EndSessionEndpoint,
-		RevokeURL:     discoveryConfig.RevocationEndpoint,
+		IntrospectURL:          discoveryConfig.IntrospectionEndpoint,
+		UserinfoURL:            discoveryConfig.UserinfoEndpoint,
+		JKWsURL:                discoveryConfig.JwksURI,
+		EndSessionURL:          discoveryConfig.EndSessionEndpoint,
+		RevokeURL:              discoveryConfig.RevocationEndpoint,
+		DeviceAuthorizationURL: discoveryConfig.DeviceAuthorizationEndpoint,
 	}
 }