deviceState implement IDTokenRequest directly

2023-12-15 14:12:18 +02:00 · 2023-12-15 14:12:18 +02:00 · d5197e0a53
commit d5197e0a53
parent 315ec4cedf
5 changed files with 82 additions and 73 deletions
--- a/pkg/op/device.go
+++ b/pkg/op/device.go
@ -186,24 +186,6 @@ func NewUserCode(charSet []rune, charAmount, dashInterval int) (string, error) {
 	return buf.String(), nil
 }

-type deviceAccessTokenRequest struct {
-	subject  string
-	audience []string
-	scopes   []string
-}
-
-func (r *deviceAccessTokenRequest) GetSubject() string {
-	return r.subject
-}
-
-func (r *deviceAccessTokenRequest) GetAudience() []string {
-	return r.audience
-}
-
-func (r *deviceAccessTokenRequest) GetScopes() []string {
-	return r.scopes
-}
-
 func DeviceAccessToken(w http.ResponseWriter, r *http.Request, exchanger Exchanger) {
 	ctx, span := tracer.Start(r.Context(), "DeviceAccessToken")
 	defer span.End()
@ -230,7 +212,7 @@ func deviceAccessToken(w http.ResponseWriter, r *http.Request, exchanger Exchang
 	if err != nil {
 		return err
 	}
-	state, err := CheckDeviceAuthorizationState(ctx, clientID, req.DeviceCode, exchanger)
+	tokenRequest, err := CheckDeviceAuthorizationState(ctx, clientID, req.DeviceCode, exchanger)
 	if err != nil {
 		return err
 	}
@ -244,11 +226,6 @@ func deviceAccessToken(w http.ResponseWriter, r *http.Request, exchanger Exchang
 			WithDescription("confidential client requires authentication")
 	}

-	tokenRequest := &deviceAccessTokenRequest{
-		subject:  state.Subject,
-		audience: []string{clientID},
-		scopes:   state.Scopes,
-	}
 	resp, err := CreateDeviceTokenResponse(r.Context(), tokenRequest, exchanger, client)
 	if err != nil {
 		return err
@ -266,6 +243,50 @@ func ParseDeviceAccessTokenRequest(r *http.Request, exchanger Exchanger) (*oidc.
 	return req, nil
 }

+// DeviceAuthorizationState describes the current state of
+// the device authorization flow.
+// It implements the [IDTokenRequest] interface.
+type DeviceAuthorizationState struct {
+	ClientID string
+	Audience []string
+	Scopes   []string
+	Expires  time.Time // The time after we consider the authorization request timed-out
+	Done     bool      // The user authenticated and approved the authorization request
+	Denied   bool      // The user authenticated and denied the authorization request
+
+	// The following fields are populated after Done == true
+	Subject  string
+	AMR      []string
+	AuthTime time.Time
+}
+
+func (r *DeviceAuthorizationState) GetAMR() []string {
+	return r.AMR
+}
+
+func (r *DeviceAuthorizationState) GetAudience() []string {
+	if !slices.Contains(r.Audience, r.ClientID) {
+		r.Audience = append(r.Audience, r.ClientID)
+	}
+	return r.Audience
+}
+
+func (r *DeviceAuthorizationState) GetAuthTime() time.Time {
+	return r.AuthTime
+}
+
+func (r *DeviceAuthorizationState) GetClientID() string {
+	return r.ClientID
+}
+
+func (r *DeviceAuthorizationState) GetScopes() []string {
+	return r.Scopes
+}
+
+func (r *DeviceAuthorizationState) GetSubject() string {
+	return r.Subject
+}
+
 func CheckDeviceAuthorizationState(ctx context.Context, clientID, deviceCode string, exchanger Exchanger) (*DeviceAuthorizationState, error) {
 	storage, err := assertDeviceStorage(exchanger.Storage())
 	if err != nil {
@ -292,6 +313,10 @@ func CheckDeviceAuthorizationState(ctx context.Context, clientID, deviceCode str
 }

 func CreateDeviceTokenResponse(ctx context.Context, tokenRequest TokenRequest, creator TokenCreator, client Client) (*oidc.AccessTokenResponse, error) {
+	/* TODO(v4):
+	Change the TokenRequest argument type to *DeviceAuthorizationState.
+	Breaking change that can not be done for v3.
+	*/
 	ctx, span := tracer.Start(ctx, "CreateDeviceTokenResponse")
 	defer span.End()

@ -307,6 +332,7 @@ func CreateDeviceTokenResponse(ctx context.Context, tokenRequest TokenRequest, c
 		ExpiresIn:    uint64(validity.Seconds()),
 	}

+	// TODO(v4): remove type assertion
 	if idTokenRequest, ok := tokenRequest.(IDTokenRequest); ok && slices.Contains(tokenRequest.GetScopes(), oidc.ScopeOpenID) {
 		response.IDToken, err = CreateIDToken(ctx, IssuerFromContext(ctx), idTokenRequest, client.IDTokenLifetime(), accessToken, "", creator.Storage(), client)
 		if err != nil {
--- a/pkg/op/device_test.go
+++ b/pkg/op/device_test.go
@ -465,50 +465,46 @@ func TestCreateDeviceTokenResponse(t *testing.T) {
 	}{
 		{
 			name: "access token",
-			tokenRequest: &storage.AuthRequest{
-				ID:            "auth1",
-				AuthTime:      time.Now(),
-				ApplicationID: "app1",
-				ResponseType:  oidc.ResponseTypeCode,
-				UserID:        "id1",
+			tokenRequest: &op.DeviceAuthorizationState{
+				ClientID: "client1",
+				Subject:  "id1",
+				AMR:      []string{"password"},
+				AuthTime: time.Now(),
 			},
 			wantAccessToken: true,
 		},
 		{
 			name: "access and refresh tokens",
-			tokenRequest: &storage.AuthRequest{
-				ID:            "auth1",
-				AuthTime:      time.Now(),
-				ApplicationID: "app1",
-				ResponseType:  oidc.ResponseTypeCode,
-				UserID:        "id1",
-				Scopes:        []string{oidc.ScopeOfflineAccess},
+			tokenRequest: &op.DeviceAuthorizationState{
+				ClientID: "client1",
+				Subject:  "id1",
+				AMR:      []string{"password"},
+				AuthTime: time.Now(),
+				Scopes:   []string{oidc.ScopeOfflineAccess},
 			},
 			wantAccessToken:  true,
 			wantRefreshToken: true,
 		},
 		{
 			name: "access and id token",
-			tokenRequest: &storage.AuthRequest{
-				ID:            "auth1",
-				AuthTime:      time.Now(),
-				ApplicationID: "app1",
-				ResponseType:  oidc.ResponseTypeCode,
-				UserID:        "id1",
-				Scopes:        []string{oidc.ScopeOpenID},
+			tokenRequest: &op.DeviceAuthorizationState{
+				ClientID: "client1",
+				Subject:  "id1",
+				AMR:      []string{"password"},
+				AuthTime: time.Now(),
+				Scopes:   []string{oidc.ScopeOpenID},
 			},
 			wantAccessToken: true,
 			wantIDToken:     true,
 		},
 		{
 			name: "access, refresh and id token",
-			tokenRequest: &storage.AuthRequest{
-				ID:            "auth1",
-				AuthTime:      time.Now(),
-				ApplicationID: "app1",
-				ResponseType:  oidc.ResponseTypeCode,
-				UserID:        "id1",
-				Scopes:        []string{oidc.ScopeOfflineAccess, oidc.ScopeOpenID},
+			tokenRequest: &op.DeviceAuthorizationState{
+				ClientID: "client1",
+				Subject:  "id1",
+				AMR:      []string{"password"},
+				AuthTime: time.Now(),
+				Scopes:   []string{oidc.ScopeOfflineAccess, oidc.ScopeOpenID},
 			},
 			wantAccessToken:  true,
 			wantRefreshToken: true,
@ -516,13 +512,12 @@ func TestCreateDeviceTokenResponse(t *testing.T) {
 		},
 		{
 			name: "id token creation error",
-			tokenRequest: &storage.AuthRequest{
-				ID:            "auth1",
-				AuthTime:      time.Now(),
-				ApplicationID: "app1",
-				ResponseType:  oidc.ResponseTypeCode,
-				UserID:        "foobar",
-				Scopes:        []string{oidc.ScopeOfflineAccess, oidc.ScopeOpenID},
+			tokenRequest: &op.DeviceAuthorizationState{
+				ClientID: "client1",
+				Subject:  "foobar",
+				AMR:      []string{"password"},
+				AuthTime: time.Now(),
+				Scopes:   []string{oidc.ScopeOfflineAccess, oidc.ScopeOpenID},
 			},
 			wantErr: true,
 		},
--- a/pkg/op/server_legacy.go
+++ b/pkg/op/server_legacy.go
@ -299,15 +299,10 @@ func (s *LegacyServer) DeviceToken(ctx context.Context, r *ClientRequest[oidc.De
 	ctx, cancel := context.WithTimeout(ctx, 4*time.Second)
 	defer cancel()

-	state, err := CheckDeviceAuthorizationState(ctx, r.Client.GetID(), r.Data.DeviceCode, s.provider)
+	tokenRequest, err := CheckDeviceAuthorizationState(ctx, r.Client.GetID(), r.Data.DeviceCode, s.provider)
 	if err != nil {
 		return nil, err
 	}
-	tokenRequest := &deviceAccessTokenRequest{
-		subject:  state.Subject,
-		audience: []string{r.Client.GetID()},
-		scopes:   state.Scopes,
-	}
 	resp, err := CreateDeviceTokenResponse(ctx, tokenRequest, s.provider, r.Client)
 	if err != nil {
 		return nil, err
--- a/pkg/op/storage.go
+++ b/pkg/op/storage.go
@ -168,15 +168,6 @@ type EndSessionRequest struct {

 var ErrDuplicateUserCode = errors.New("user code already exists")

-type DeviceAuthorizationState struct {
-	ClientID string
-	Scopes   []string
-	Expires  time.Time
-	Done     bool
-	Subject  string
-	Denied   bool
-}
-
 type DeviceAuthorizationStorage interface {
 	// StoreDeviceAuthorizationRequest stores a new device authorization request in the database.
 	// User code will be used by the user to complete the login flow and must be unique.
--- a/pkg/op/token.go
+++ b/pkg/op/token.go
@ -84,6 +84,8 @@ func needsRefreshToken(tokenRequest TokenRequest, client AccessTokenClient) bool
 		return req.GetRequestedTokenType() == oidc.RefreshTokenType
 	case RefreshTokenRequest:
 		return true
+	case *DeviceAuthorizationState:
+		return strings.Contains(req.GetScopes(), oidc.ScopeOfflineAccess) && ValidateGrantType(client, oidc.GrantTypeRefreshToken)
 	default:
 		return false
 	}