Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add device authorization grant (device code flow - rfc 8628) #1539

Draft
wants to merge 17 commits into
base: master
Choose a base branch
from
Draft

Add device authorization grant (device code flow - rfc 8628) #1539

wants to merge 17 commits into from
+505 −7

Conversation

duzumaki
Copy link

@duzumaki duzumaki commented Jan 7, 2025
edited
Loading

Note to reviewers: I've made this a "commit by commit" pr which means it's easier to review the pr if you go commit by commit rather than look at all files changed at once

Fixes #962

Description of the Change

Checklist

  • PR only contains one change (considered splitting up PR)
  • unit-test added
  • documentation updated
  • CHANGELOG.md updated (only for user relevant changes)
  • author name in AUTHORS

@duzumaki duzumaki force-pushed the add-device-flow branch 2 times, most recently from 85991ac to 87bbf79 Compare January 7, 2025 16:04
@duzumaki
Add Device model
d6feb72 
This model represents the device session for the request and response stage
See section 3.1(https://datatracker.ietf.org/doc/html/rfc8628#section-3.1)
and 3.2(https://datatracker.ietf.org/doc/html/rfc8628#section-3.2)
duzumaki added 13 commits January 7, 2025 16:07
@duzumaki
Adhere content-type request header to CGI standard
019cfcd 
Django represents headers according to the common gateway interface(CGI)
standard. This means it's in all caps with words divided with a hyphen

However a lot of libraries follow the pattern of Something-Something
so this ensures the header is set correctly so libraries like oauthlib
can read it
@duzumaki
Add create device authorization response method
f29c8ce 
This method calls the server's create_device_authorization_response method
(https://datatracker.ietf.org/doc/html/rfc8628#section-3.2)

and is returns to the caller the information adhering to the rfc
@duzumaki
Update the grant type mapping to recognize device code
1bcc1b0
@duzumaki
Devices that are public should not need basic auth
eb6e711 
The device flow is initiated by sending the client_id and and a scope.
This check should not fail if the client is public
@duzumaki
Add device settings
bd8c497 
OAUTH_DEVICE_VERIFICATION_URI = the uri that comes back from the response
so the user knows where to go to. e.g example.com/device

OAUTH_DEVICE_USER_CODE_GENERATOR = Allows a custom callable to be passed in to control
how the user code is generated, stored in the db and returned back to the caller
DEVICE_MODEL = the device model

DEVICE_FLOW_INTERVAL = The time in seconds to wait before the device should poll again
@duzumaki
Create device authorization view
e42ca9e 
This view is to be used in an authorization server in order to provide
a /device endpoint
@duzumaki
Ensure we import in the views module
7ce4caa
@duzumaki
Migrations
5bc5ef1
@duzumaki
Increase grant type length
e658cb2 
The grant type for device code is 44 characters
@duzumaki
Add initial stage test
d10859f
@duzumaki
Temp commit: Point oauthlib to master
c690361 
This commit will not be merged(I think).
Currently oauthlib is due a release so I'm pointing this
to master
@duzumaki
Add device poll change test
951863f
@duzumaki
Add incorrect client id test
67dafbf
@duzumaki duzumaki mentioned this pull request Jan 7, 2025
Open
dopry
dopry reviewed Jan 7, 2025
View reviewed changes
Copy link
Contributor

@dopry dopry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks excellent, Only one thing grabbed my attention in my cursory code review, the type of the request parameter. Take a moment to double check that type. I've been bitten by OAuthLib's recasting of Request on a number of occasions. I hope to get time to more thoroughly review this by the end of the week

oauth2_provider/oauth2_backends.py
@@ -148,6 +151,16 @@ def create_authorization_response(self, request, scopes, credentials, allow):
except oauth2.OAuth2Error as error:
raise OAuthToolkitError(error=error, redirect_uri=credentials["redirect_uri"])

def create_device_authorization_response(self, request: HttpRequest):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you sure this is a django.http.HttpRequest and not an oauthlib.common.Request?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dopry dopry dopry left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Device Authorization Grant
2 participants
@duzumaki @dopry