Implement the device authorization endpoint

driver/config/provider.go

@@ -49,6 +49,7 @@ const (
 	KeyOIDCDiscoverySupportedClaims              = "webfinger.oidc_discovery.supported_claims"
 	KeyOIDCDiscoverySupportedScope               = "webfinger.oidc_discovery.supported_scope"
 	KeyOIDCDiscoveryUserinfoEndpoint             = "webfinger.oidc_discovery.userinfo_url"
+	KeyOAuth2DeviceAuthorisationURL              = "webfinger.oidc_discovery.device_authorization_url"
 	KeySubjectTypesSupported                     = "oidc.subject_identifiers.supported_types"
 	KeyDefaultClientScope                        = "oidc.dynamic_client_registration.default_scope"
 	KeyDSN                                       = "dsn"
@@ -72,6 +73,7 @@ const (
 	KeyVerifiableCredentialsNonceLifespan        = "ttl.vc_nonce"      // #nosec G101
 	KeyIDTokenLifespan                           = "ttl.id_token"      // #nosec G101
 	KeyAuthCodeLifespan                          = "ttl.auth_code"
+	KeyDeviceAndUserCodeLifespan                 = "ttl.device_user_code"
 	KeyScopeStrategy                             = "strategies.scope"
 	KeyGetCookieSecrets                          = "secrets.cookie"
 	KeyGetSystemSecret                           = "secrets.system"
@@ -81,6 +83,7 @@ const (
 	KeyLogoutURL                                 = "urls.logout"
 	KeyConsentURL                                = "urls.consent"
 	KeyErrorURL                                  = "urls.error"
+	KeyDeviceVerificationURL                     = "urls.device_verification"
 	KeyPublicURL                                 = "urls.self.public"
 	KeyAdminURL                                  = "urls.self.admin"
 	KeyIssuerURL                                 = "urls.self.issuer"
@@ -92,6 +95,7 @@ const (
 	KeyDBIgnoreUnknownTableColumns               = "db.ignore_unknown_table_columns"
 	KeySubjectIdentifierAlgorithmSalt            = "oidc.subject_identifiers.pairwise.salt"
 	KeyPublicAllowDynamicRegistration            = "oidc.dynamic_client_registration.enabled"
+	KeyDeviceAuthTokenPollingInterval            = "oauth2.device_authorization.token_polling_interval" // #nosec G101
 	KeyPKCEEnforced                              = "oauth2.pkce.enforced"
 	KeyPKCEEnforcedForPublicClients              = "oauth2.pkce.enforced_for_public_clients"
 	KeyLogLevel                                  = "log.level"
@@ -372,6 +376,16 @@ func (p *DefaultProvider) fallbackURL(ctx context.Context, path string, host str
 	return &u
 }
 
+// GetDeviceAndUserCodeLifespan returns the device_code and user_code lifespan. Defaults to 15 minutes.
+func (p *DefaultProvider) GetDeviceAndUserCodeLifespan(ctx context.Context) time.Duration {
+	return p.p.DurationF(KeyDeviceAndUserCodeLifespan, time.Minute*15)
+}
+
+// GetDeviceAuthTokenPollingInterval returns device grant token endpoint polling interval. Defaults to 5 seconds.
+func (p *DefaultProvider) GetDeviceAuthTokenPollingInterval(ctx context.Context) time.Duration {
+	return p.p.DurationF(KeyDeviceAuthTokenPollingInterval, time.Second*5)
+}
+
 func (p *DefaultProvider) LoginURL(ctx context.Context) *url.URL {
 	return urlRoot(p.getProvider(ctx).URIF(KeyLoginURL, p.publicFallbackURL(ctx, "oauth2/fallbacks/login")))
 }
@@ -392,6 +406,11 @@ func (p *DefaultProvider) ErrorURL(ctx context.Context) *url.URL {
 	return urlRoot(p.getProvider(ctx).RequestURIF(KeyErrorURL, p.publicFallbackURL(ctx, "oauth2/fallbacks/error")))
 }
 
+// DeviceVerificationURL returns user_code verification page URL. Defaults to "oauth2/fallbacks/device".
+func (p *DefaultProvider) DeviceVerificationURL(ctx context.Context) *url.URL {
+	return urlRoot(p.getProvider(ctx).URIF(KeyDeviceVerificationURL, p.publicFallbackURL(ctx, "oauth2/fallbacks/device")))
+}
+
 func (p *DefaultProvider) PublicURL(ctx context.Context) *url.URL {
 	return urlRoot(p.getProvider(ctx).RequestURIF(KeyPublicURL, p.IssuerURL(ctx)))
 }
@@ -449,6 +468,11 @@ func (p *DefaultProvider) OAuth2AuthURL(ctx context.Context) *url.URL {
 	return p.getProvider(ctx).RequestURIF(KeyOAuth2AuthURL, urlx.AppendPaths(p.PublicURL(ctx), "/oauth2/auth"))
 }
 
+// OAuth2DeviceAuthorisationURL returns device authorization endpoint. Defaults to "/oauth2/device/auth".
+func (p *DefaultProvider) OAuth2DeviceAuthorisationURL(ctx context.Context) *url.URL {
+	return p.getProvider(ctx).RequestURIF(KeyOAuth2DeviceAuthorisationURL, urlx.AppendPaths(p.PublicURL(ctx), "/oauth2/device/auth"))
+}
+
 func (p *DefaultProvider) JWKSURL(ctx context.Context) *url.URL {
 	return p.getProvider(ctx).RequestURIF(KeyJWKSURL, urlx.AppendPaths(p.IssuerURL(ctx), "/.well-known/jwks.json"))
 }

driver/config/provider_test.go

@@ -279,6 +279,7 @@ func TestViperProviderValidates(t *testing.T) {
 	// webfinger
 	assert.Equal(t, []string{"hydra.openid.id-token", "hydra.jwt.access-token"}, c.WellKnownKeys(ctx))
 	assert.Equal(t, urlx.ParseOrPanic("https://example.com"), c.OAuth2ClientRegistrationURL(ctx))
+	assert.Equal(t, urlx.ParseOrPanic("https://example.com/device_authorization"), c.OAuth2DeviceAuthorisationURL(ctx))
 	assert.Equal(t, urlx.ParseOrPanic("https://example.com/jwks.json"), c.JWKSURL(ctx))
 	assert.Equal(t, urlx.ParseOrPanic("https://example.com/auth"), c.OAuth2AuthURL(ctx))
 	assert.Equal(t, urlx.ParseOrPanic("https://example.com/token"), c.OAuth2TokenURL(ctx))
@@ -297,6 +298,7 @@ func TestViperProviderValidates(t *testing.T) {
 	assert.Equal(t, urlx.ParseOrPanic("https://admin/"), c.AdminURL(ctx))
 	assert.Equal(t, urlx.ParseOrPanic("https://login/"), c.LoginURL(ctx))
 	assert.Equal(t, urlx.ParseOrPanic("https://consent/"), c.ConsentURL(ctx))
+	assert.Equal(t, urlx.ParseOrPanic("https://device/"), c.DeviceVerificationURL(ctx))
 	assert.Equal(t, urlx.ParseOrPanic("https://logout/"), c.LogoutURL(ctx))
 	assert.Equal(t, urlx.ParseOrPanic("https://error/"), c.ErrorURL(ctx))
 	assert.Equal(t, urlx.ParseOrPanic("https://post_logout/"), c.LogoutRedirectURL(ctx))
@@ -314,12 +316,14 @@ func TestViperProviderValidates(t *testing.T) {
 	assert.Equal(t, 2*time.Hour, c.GetRefreshTokenLifespan(ctx))
 	assert.Equal(t, 2*time.Hour, c.GetIDTokenLifespan(ctx))
 	assert.Equal(t, 2*time.Hour, c.GetAuthorizeCodeLifespan(ctx))
+	assert.Equal(t, 2*time.Hour, c.GetDeviceAndUserCodeLifespan(ctx))
 
 	// oauth2
 	assert.Equal(t, true, c.GetSendDebugMessagesToClients(ctx))
 	assert.Equal(t, 20, c.GetBCryptCost(ctx))
 	assert.Equal(t, true, c.GetEnforcePKCE(ctx))
 	assert.Equal(t, true, c.GetEnforcePKCEForPublicClients(ctx))
+	assert.Equal(t, 2*time.Hour, c.GetDeviceAuthTokenPollingInterval(ctx))
 
 	// secrets
 	secret, err := c.GetGlobalSecret(ctx)
@@ -388,16 +392,20 @@ func TestLoginConsentURL(t *testing.T) {
 	p := MustNew(context.Background(), l)
 	p.MustSet(ctx, KeyLoginURL, "http://localhost:8080/oauth/login")
 	p.MustSet(ctx, KeyConsentURL, "http://localhost:8080/oauth/consent")
+	p.MustSet(ctx, KeyDeviceVerificationURL, "http://localhost:8080/oauth/device")
 
 	assert.Equal(t, "http://localhost:8080/oauth/login", p.LoginURL(ctx).String())
 	assert.Equal(t, "http://localhost:8080/oauth/consent", p.ConsentURL(ctx).String())
+	assert.Equal(t, "http://localhost:8080/oauth/device", p.DeviceVerificationURL(ctx).String())
 
 	p2 := MustNew(context.Background(), l)
 	p2.MustSet(ctx, KeyLoginURL, "http://localhost:3000/#/oauth/login")
 	p2.MustSet(ctx, KeyConsentURL, "http://localhost:3000/#/oauth/consent")
+	p2.MustSet(ctx, KeyDeviceVerificationURL, "http://localhost:3000/#/oauth/device")
 
 	assert.Equal(t, "http://localhost:3000/#/oauth/login", p2.LoginURL(ctx).String())
 	assert.Equal(t, "http://localhost:3000/#/oauth/consent", p2.ConsentURL(ctx).String())
+	assert.Equal(t, "http://localhost:3000/#/oauth/device", p2.DeviceVerificationURL(ctx).String())
 }
 
 func TestInfinitRefreshTokenTTL(t *testing.T) {

driver/registry_base.go

@@ -21,6 +21,7 @@
 	"github.com/ory/fosite/compose"
 	foauth2 "github.com/ory/fosite/handler/oauth2"
 	"github.com/ory/fosite/handler/openid"
+	"github.com/ory/fosite/handler/rfc8628"
 	"github.com/ory/herodot"
 	"github.com/ory/hydra/v2/aead"
 	"github.com/ory/hydra/v2/client"
@@ -87,6 +88,7 @@
 	oidcs           jwk.JWTSigner
 	ats             jwk.JWTSigner
 	hmacs           *foauth2.HMACSHAStrategy
+	deviceHmac      rfc8628.RFC8628CodeStrategy
 	fc              *fositex.Config
 	publicCORS      *cors.Cors
 	kratos          kratos.Client
@@ -409,6 +411,16 @@
 	return m.hmacs
 }
 
+// RFC8628HMACStrategy returns the rfc8628 strategy
+func (m *RegistryBase) RFC8628HMACStrategy() rfc8628.RFC8628CodeStrategy {
+	if m.deviceHmac != nil {
+		return m.deviceHmac
+	}
+
+	m.deviceHmac = compose.NewDeviceStrategy(m.OAuth2Config())
+	return m.deviceHmac
+}
+
 func (m *RegistryBase) OAuth2Config() *fositex.Config {
 	if m.fc != nil {
 		return m.fc
@@ -435,6 +447,7 @@
 
 	conf := m.OAuth2Config()
 	hmacAtStrategy := m.OAuth2HMACStrategy()
+	deviceHmacAtStrategy := m.RFC8628HMACStrategy()
 	oidcSigner := m.OpenIDJWTStrategy()
 	atSigner := m.AccessTokenJWTStrategy()
 	jwtAtStrategy := &foauth2.DefaultJWTStrategy{
@@ -449,6 +462,7 @@
 			HMACSHAStrategy: hmacAtStrategy,
 			Config:          conf,
 		}),
+		RFC8628CodeStrategy: deviceHmacAtStrategy,
 		OpenIDConnectTokenStrategy: &openid.DefaultStrategy{
 			Config: conf,
 			Signer: oidcSigner,

fositex/config.go

@@ -42,6 +42,7 @@
 	tokenEndpointHandlers      fosite.TokenEndpointHandlers
 	tokenIntrospectionHandlers fosite.TokenIntrospectionHandlers
 	revocationHandlers         fosite.RevocationHandlers
+	deviceEndpointHandlers     fosite.DeviceEndpointHandlers
 
 	*config.DefaultProvider
 }
@@ -61,6 +62,7 @@
 	compose.OAuth2PKCEFactory,
 	compose.RFC7523AssertionGrantFactory,
 	compose.OIDCUserinfoVerifiableCredentialFactory,
+	compose.RFC8628DeviceFactory,
 }
 
 func NewConfig(deps configDependencies) *Config {
@@ -87,6 +89,9 @@
 		if rh, ok := res.(fosite.RevocationHandler); ok {
 			c.revocationHandlers.Append(rh)
 		}
+		if dh, ok := res.(fosite.DeviceEndpointHandler); ok {
+			c.deviceEndpointHandlers.Append(dh)
+		}
 	}
 }
 
@@ -114,6 +119,11 @@
 	return c.revocationHandlers
 }
 
+// GetDeviceEndpointHandlers returns the deviceEndpointHandlers
+func (c *Config) GetDeviceEndpointHandlers(ctx context.Context) fosite.DeviceEndpointHandlers {
+	return c.deviceEndpointHandlers
+}
+
 func (c *Config) GetGrantTypeJWTBearerCanSkipClientAuth(context.Context) bool {
 	return false
 }
@@ -206,3 +216,8 @@
 		urlx.AppendPaths(c.deps.Config().PublicURL(ctx), oauth2.TokenPath).String(),
 	})
 }
+
+// GetDeviceVerificationURL returns the device verification url
+func (c *Config) GetDeviceVerificationURL(ctx context.Context) string {
+	return urlx.AppendPaths(c.deps.Config().PublicURL(ctx), oauth2.DeviceAuthPath).String()
+}

go.mod

@@ -2,7 +2,7 @@ module github.com/ory/hydra/v2
 
 go 1.21
 
-toolchain go1.21.0
+toolchain go1.21.4
 
 replace (
 	github.com/jackc/pcmock => github.com/jackc/pgmock v0.0.0-20210724152146-4ad1a8207f65
@@ -25,10 +25,10 @@ require (
 	github.com/gofrs/uuid v4.4.0+incompatible
 	github.com/golang-jwt/jwt/v5 v5.0.0
 	github.com/golang/mock v1.6.0
-	github.com/google/uuid v1.4.0
+	github.com/google/uuid v1.6.0
 	github.com/gorilla/securecookie v1.1.2
 	github.com/gorilla/sessions v1.2.2
-	github.com/hashicorp/go-retryablehttp v0.7.4
+	github.com/hashicorp/go-retryablehttp v0.7.5
 	github.com/jackc/pgx/v4 v4.18.1
 	github.com/julienschmidt/httprouter v1.3.0
 	github.com/luna-duclos/instrumentedsql v1.1.3
@@ -44,14 +44,14 @@ require (
 	github.com/ory/hydra-client-go/v2 v2.1.1
 	github.com/ory/jsonschema/v3 v3.0.8
 	github.com/ory/kratos-client-go v0.13.1
-	github.com/ory/x v0.0.607
+	github.com/ory/x v0.0.613
 	github.com/pborman/uuid v1.2.1
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.16.0
 	github.com/rs/cors v1.9.0
 	github.com/sawadashota/encrypta v0.0.3
 	github.com/sirupsen/logrus v1.9.3
-	github.com/spf13/cobra v1.7.0
+	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.8.4
 	github.com/tidwall/gjson v1.17.0
@@ -66,9 +66,9 @@ require (
 	go.opentelemetry.io/otel/sdk v1.21.0
 	go.opentelemetry.io/otel/trace v1.21.0
 	go.uber.org/automaxprocs v1.5.3
-	golang.org/x/crypto v0.17.0
+	golang.org/x/crypto v0.18.0
 	golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa
-	golang.org/x/oauth2 v0.14.0
+	golang.org/x/oauth2 v0.15.0
 	golang.org/x/sync v0.5.0
 	golang.org/x/tools v0.15.0
 )
@@ -96,7 +96,7 @@ require (
 	github.com/creasty/defaults v1.7.0 // indirect
 	github.com/cristalhq/jwt/v4 v4.0.2 // indirect
 	github.com/dave/jennifer v1.7.0 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dgraph-io/ristretto v0.1.1 // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
 	github.com/docker/cli v20.10.21+incompatible // indirect
@@ -112,7 +112,7 @@ require (
 	github.com/fatih/structtag v1.2.0 // indirect
 	github.com/felixge/fgprof v0.9.3 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fsnotify/fsnotify v1.6.0 // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-logr/logr v1.3.0 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/analysis v0.21.4 // indirect
@@ -140,13 +140,13 @@ require (
 	github.com/goccy/go-yaml v1.11.0 // indirect
 	github.com/gofrs/flock v0.8.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/glog v1.1.2 // indirect
+	github.com/golang/glog v1.2.0 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/pprof v0.0.0-20230808223545-4887780b67fb // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/gorilla/css v1.0.0 // indirect
 	github.com/gorilla/handlers v1.5.1 // indirect
-	github.com/gorilla/websocket v1.5.0 // indirect
+	github.com/gorilla/websocket v1.5.1 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.1 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
@@ -197,25 +197,28 @@ require (
 	github.com/openzipkin/zipkin-go v0.4.2 // indirect
 	github.com/ory/dockertest/v3 v3.10.0 // indirect
 	github.com/ory/go-convenience v0.1.0 // indirect
+	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.9 // indirect
+	github.com/pelletier/go-toml/v2 v2.1.1 // indirect
 	github.com/pkg/profile v1.7.0 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_model v0.4.0 // indirect
 	github.com/prometheus/common v0.44.0 // indirect
 	github.com/prometheus/procfs v0.11.1 // indirect
 	github.com/rogpeppe/go-internal v1.11.0 // indirect
+	github.com/sagikazarmark/locafero v0.4.0 // indirect
+	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/seatgeek/logrus-gelf-formatter v0.0.0-20210414080842-5b05eb8ff761 // indirect
 	github.com/segmentio/backo-go v1.0.1 // indirect
 	github.com/sergi/go-diff v1.3.1 // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect
 	github.com/sourcegraph/annotate v0.0.0-20160123013949-f4cad6c6324d // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/sourcegraph/syntaxhighlight v0.0.0-20170531221838-bd320f5d308e // indirect
-	github.com/spf13/afero v1.9.5 // indirect
-	github.com/spf13/cast v1.5.1 // indirect
-	github.com/spf13/jwalterweatherman v1.1.0 // indirect
-	github.com/spf13/viper v1.16.0 // indirect
-	github.com/subosito/gotenv v1.4.2 // indirect
+	github.com/spf13/afero v1.11.0 // indirect
+	github.com/spf13/cast v1.6.0 // indirect
+	github.com/spf13/viper v1.18.2 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/thales-e-security/pool v0.0.2 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
@@ -225,23 +228,26 @@ require (
 	github.com/xtgo/uuid v0.0.0-20140804021211-a0b114877d4c // indirect
 	go.mongodb.org/mongo-driver v1.12.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.46.1 // indirect
-	go.opentelemetry.io/contrib/propagators/b3 v1.20.0 // indirect
-	go.opentelemetry.io/contrib/propagators/jaeger v1.20.0 // indirect
+	go.opentelemetry.io/contrib/propagators/b3 v1.21.0 // indirect
+	go.opentelemetry.io/contrib/propagators/jaeger v1.21.1 // indirect
 	go.opentelemetry.io/contrib/samplers/jaegerremote v0.15.1 // indirect
 	go.opentelemetry.io/otel/exporters/jaeger v1.17.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 // indirect
 	go.opentelemetry.io/otel/exporters/zipkin v1.21.0 // indirect
 	go.opentelemetry.io/otel/metric v1.21.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
+	go.uber.org/atomic v1.10.0 // indirect
+	go.uber.org/multierr v1.9.0 // indirect
 	golang.org/x/mod v0.14.0 // indirect
-	golang.org/x/net v0.18.0 // indirect
-	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/net v0.20.0 // indirect
+	golang.org/x/sys v0.16.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20231106174013-bbf56f31fb17 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f // indirect
 	google.golang.org/grpc v1.59.0 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
@@ -250,4 +256,4 @@ require (
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
-replace github.com/ory/fosite => github.com/canonical/fosite v0.0.0-20231227112919-2c69fd81013a
+replace github.com/ory/fosite => github.com/canonical/fosite v0.0.0-20240227091618-fee676b7da75