fix: enforce device authorization grant type

2023-05-26 11:42:52 +03:00 · 2023-05-26 11:42:52 +03:00 · cfa1c5804a
commit cfa1c5804a
parent 09bdd1dca2
4 changed files with 46 additions and 5 deletions
--- a/pkg/op/device.go
+++ b/pkg/op/device.go
@ -122,6 +122,13 @@ func ParseDeviceCodeRequest(r *http.Request, o OpenIDProvider) (*oidc.DeviceAuth
 	if err != nil {
 		return nil, err
 	}
+	client, err := o.Storage().GetClientByClientID(r.Context(), clientID)
+	if err != nil {
+		return nil, err
+	}
+	if !ValidateGrantType(client, oidc.GrantTypeDeviceCode) {
+		return nil, oidc.ErrUnauthorizedClient().WithDescription("client missing grant type " + string(oidc.GrantTypeCode))
+	}

 	req := new(oidc.DeviceAuthorizationRequest)
 	if err := o.Decoder().Decode(req, r.Form); err != nil {