fix: enforce device authorization grant type (#400)

2023-05-26 11:52:35 +03:00 · 2023-05-26 11:52:35 +03:00 · a4dbe2a973
commit a4dbe2a973
parent 09bdd1dca2
4 changed files with 46 additions and 5 deletions
--- a/pkg/op/device.go
+++ b/pkg/op/device.go
@ -122,6 +122,13 @@ func ParseDeviceCodeRequest(r *http.Request, o OpenIDProvider) (*oidc.DeviceAuth
 	if err != nil {
 		return nil, err
 	}
+	client, err := o.Storage().GetClientByClientID(r.Context(), clientID)
+	if err != nil {
+		return nil, err
+	}
+	if !ValidateGrantType(client, oidc.GrantTypeDeviceCode) {
+		return nil, oidc.ErrUnauthorizedClient().WithDescription("client missing grant type " + string(oidc.GrantTypeCode))
+	}

 	req := new(oidc.DeviceAuthorizationRequest)
 	if err := o.Decoder().Decode(req, r.Form); err != nil {