Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: implement RFC 8628 #3912

Open
wants to merge 36 commits into
base: master
Choose a base branch
from
Open

feat: implement RFC 8628 #3912

wants to merge 36 commits into from

Conversation

nsklikas
Copy link

This PR is a continuation of #3851. I have created it from my own personal repo and I have invited people from Ory to contribute so that we can speed up things. I think that most of the comments in the old PR were resolved, but I can copy them to this PR if we wish to keep the discussion history.

Implements the Device Authorization Grant to enable authentication for headless machines (see https://datatracker.ietf.org/doc/html/rfc8628)

Related issue(s)

Implements RFC 8628.

This PR is based on the work done on #3252, by @supercairos and @BuzzBumbleBee. That PR was based on an older version of Hydra and was missing some features/tests.

We have prepared a spec, that describes our design and implementation. We have tried to mimic the existing logic in Hydra and not make changes that would disrupt the existing workflows

Checklist

  • I have read the contributing guidelines.
  • I have referenced an issue containing the design document if my change
    introduces a new feature.
  • I am following the
    contributing code guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security vulnerability, I
    confirm that I got the approval (please contact
    [email protected]) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

Further Comments

Notes:

  • The current implementation has been manually tested only for memory and postgres databases. The tests pass all of them.
  • Fosite is installed from our fork to ease testing. Once the relevant PR in fosite is merged, we will update go.mod.

Testing

To test this you need to built the hydra image:

make docker

This will create an image with the name: oryd/hydra:latest-sqlite

To run the flow you can use our UI, from https://github.com/canonical/identity-platform-login-ui/tree/hydra-device-test:

git clone [email protected]:canonical/identity-platform-login-ui.git -b hydra-device-test
cd identity-platform-login-ui/
# The image name is hard-coded in the docker-compose file
docker compose up --remove-orphans --force-recreate -d

Create a client for Hydra:

docker exec -it identity-platform-login-ui-hydra-1 hydra create client   --endpoint http://localhost:4445   --grant-type authorization_code,refresh_token,urn:ietf:params:oauth:grant-type:device_code --scope openid,offline_access,email,profile --token-endpoint-auth-method client_secret_post

Use that client to perform the device flow:

docker exec -it identity-platform-login-ui-hydra-1 hydra perform device-code --client-id <client-id> --client-secret <client-secret> -e http://localhost:4444 --scope openid,offline_access,email,profile

The user for logging in is:

@nsklikas nsklikas mentioned this pull request Dec 18, 2024
Open
7 tasks
nsklikas and others added 26 commits December 18, 2024 13:12
@nsklikas
chore: install fosite from branch (remove)
d4f1f02
@nsklikas
fix: set utc expires_at
14d2af7
@nsklikas
fix: add redirect_uri to test
2c0f9a0
@nsklikas
fix: add rfc8628 providers to registry
a99fa3d
@nsklikas
fix: update database schema
0832c17
@nsklikas
fix: update oauth persister logic
905f610
@nsklikas
feat: add device authorization endpoint handler
8f4a1ab
@nsklikas
refactor: move logic to updateSessionWithRequest method
e86d044
@nsklikas
fix: rename device auth endpoint handler
cb84dd4
@nsklikas
feat: add device user verification handler
d9c3ecc
@nsklikas
fix: implement device user verification logic
365a980
@nsklikas
feat: update flow
86e46dd
@nsklikas
fix: add post device auth handler
c4b28f8
@nsklikas
feat: add consent handler for accepting a user_code
1efbd3a
@nsklikas
chore: add post_device_done to config schema
45abdba
@nsklikas
chore: add e2e tests
0921426
@wood-push-melon @nsklikas
feat: token request handling for device flow
99b5a1a
@nsklikas
chore: update config
7daab9f
@wood-push-melon @nsklikas
fix: fix the OIDC token and refresh token issue for device flow
7e60cc0
@wood-push-melon @nsklikas
fix: update OpenID Connect session after user consent
413f7c1
@nsklikas
fix: add GetDeviceCodeSessionByRequestID method
a140169
@nsklikas
fix: return client_id to post_device page
ff9933c
@nsklikas
fix: update existing device session
eec977c 
Instead of updating the device session, we were over-writing it causing
existing session info that were created from fosite to be lost.
@nsklikas
fix: update tests
87b2cef
@nsklikas
fix: add device auth endpoint in discovery metadata
b9e587f
@nsklikas
fix: make device grant lifetimes configurable
5c56722
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aeneasr aeneasr Awaiting requested review from aeneasr aeneasr is a code owner

@hperl hperl Awaiting requested review from hperl

@alnr alnr Awaiting requested review from alnr

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nsklikas @wood-push-melon