implement RFC 8628: Device authorization grant

2023-03-01 09:59:17 +02:00 · 2023-03-01 09:59:17 +02:00 · 2342f208ef
commit 2342f208ef
parent 03f71a67c2
29 changed files with 1968 additions and 97 deletions
--- a/pkg/oidc/device_authorization.go
+++ b/pkg/oidc/device_authorization.go
@ -0,0 +1,29 @@
+package oidc
+
+// DeviceAuthorizationRequest implements
+// https://www.rfc-editor.org/rfc/rfc8628#section-3.1,
+// 3.1 Device Authorization Request.
+type DeviceAuthorizationRequest struct {
+	Scopes   SpaceDelimitedArray `schema:"scope"`
+	ClientID string              `schema:"client_id"`
+}
+
+// DeviceAuthorizationResponse implements
+// https://www.rfc-editor.org/rfc/rfc8628#section-3.2
+// 3.2.  Device Authorization Response.
+type DeviceAuthorizationResponse struct {
+	DeviceCode              string `json:"device_code"`
+	UserCode                string `json:"user_code"`
+	VerificationURI         string `json:"verification_uri"`
+	VerificationURIComplete string `json:"verification_uri_complete,omitempty"`
+	ExpiresIn               int    `json:"expires_in"`
+	Interval                int    `json:"interval,omitempty"`
+}
+
+// DeviceAccessTokenRequest implements
+// https://www.rfc-editor.org/rfc/rfc8628#section-3.4,
+// Device Access Token Request.
+type DeviceAccessTokenRequest struct {
+	GrantType  GrantType `json:"grant_type" schema:"grant_type"`
+	DeviceCode string    `json:"device_code" schema:"device_code"`
+}
--- a/pkg/oidc/discovery.go
+++ b/pkg/oidc/discovery.go
@ -30,6 +30,8 @@ type DiscoveryConfiguration struct {
 	// EndSessionEndpoint is a URL where the RP can perform a redirect to request that the End-User be logged out at the OP.
 	EndSessionEndpoint string `json:"end_session_endpoint,omitempty"`

+	DeviceAuthorizationEndpoint string `json:"device_authorization_endpoint,omitempty"`
+
 	// CheckSessionIframe is a URL where the OP provides an iframe that support cross-origin communications for session state information with the RP Client.
 	CheckSessionIframe string `json:"check_session_iframe,omitempty"`

--- a/pkg/oidc/error.go
+++ b/pkg/oidc/error.go
@ -18,6 +18,14 @@ const (
 	InteractionRequired  errorType = "interaction_required"
 	LoginRequired        errorType = "login_required"
 	RequestNotSupported  errorType = "request_not_supported"
+
+	// Additional error codes as defined in
+	// https://www.rfc-editor.org/rfc/rfc8628#section-3.5
+	// Device Access Token Response
+	AuthorizationPending errorType = "authorization_pending"
+	SlowDown             errorType = "slow_down"
+	AccessDenied         errorType = "access_denied"
+	ExpiredToken         errorType = "expired_token"
 )

 var (
@ -77,6 +85,32 @@ var (
 			ErrorType: RequestNotSupported,
 		}
 	}
+
+	// Device Access Token errors:
+	ErrAuthorizationPending = func() *Error {
+		return &Error{
+			ErrorType:   AuthorizationPending,
+			Description: "The client SHOULD repeat the access token request to the token endpoint, after interval from device authorization response.",
+		}
+	}
+	ErrSlowDown = func() *Error {
+		return &Error{
+			ErrorType:   SlowDown,
+			Description: "Polling should continue, but the interval MUST be increased by 5 seconds for this and all subsequent requests.",
+		}
+	}
+	ErrAccessDenied = func() *Error {
+		return &Error{
+			ErrorType:   AccessDenied,
+			Description: "The authorization request was denied.",
+		}
+	}
+	ErrExpiredDeviceCode = func() *Error {
+		return &Error{
+			ErrorType:   ExpiredToken,
+			Description: "The \"device_code\" has expired.",
+		}
+	}
 )

 type Error struct {
--- a/pkg/oidc/token_request.go
+++ b/pkg/oidc/token_request.go
@ -27,6 +27,9 @@ const (
 	// GrantTypeImplicit defines the grant type `implicit` used for implicit flows that skip the generation and exchange of an Authorization Code
 	GrantTypeImplicit GrantType = "implicit"

+	// GrantTypeDeviceCode
+	GrantTypeDeviceCode GrantType = "urn:ietf:params:oauth:grant-type:device_code"
+
 	// ClientAssertionTypeJWTAssertion defines the client_assertion_type `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`
 	// used for the OAuth JWT Profile Client Authentication
 	ClientAssertionTypeJWTAssertion = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
@ -35,7 +38,7 @@ const (
 var AllGrantTypes = []GrantType{
 	GrantTypeCode, GrantTypeRefreshToken, GrantTypeClientCredentials,
 	GrantTypeBearer, GrantTypeTokenExchange, GrantTypeImplicit,
-	ClientAssertionTypeJWTAssertion,
+	GrantTypeDeviceCode, ClientAssertionTypeJWTAssertion,
 }

 type GrantType string