From 73097533d43a8fdd13fe8c461ce50716209baf51 Mon Sep 17 00:00:00 2001 From: Nikos Date: Mon, 18 Nov 2024 11:25:36 +0200 Subject: [PATCH] fix: do not create openid session on device auth request --- handler/openid/flow_device_auth.go | 12 +++-------- handler/openid/flow_device_auth_test.go | 27 ------------------------- 2 files changed, 3 insertions(+), 36 deletions(-) diff --git a/handler/openid/flow_device_auth.go b/handler/openid/flow_device_auth.go index efeb2115..5bf8333b 100644 --- a/handler/openid/flow_device_auth.go +++ b/handler/openid/flow_device_auth.go @@ -25,6 +25,9 @@ type OpenIDConnectDeviceHandler struct { } func (c *OpenIDConnectDeviceHandler) HandleDeviceEndpointRequest(ctx context.Context, dar fosite.DeviceRequester, resp fosite.DeviceResponder) error { + // We don't want to create the openid session on this call, because we don't know if the user + // will actually complete the flow and give consent. The implementer MUST call the CreateOpenIDConnectSession + // methods when the user logs in to instantiate the session. if !(dar.GetRequestedScopes().Has("openid")) { return nil } @@ -37,14 +40,5 @@ func (c *OpenIDConnectDeviceHandler) HandleDeviceEndpointRequest(ctx context.Con return errorsx.WithStack(fosite.ErrMisconfiguration.WithDebug("The device code has not been issued yet, indicating a broken code configuration.")) } - signature, err := c.DeviceCodeStrategy.DeviceCodeSignature(ctx, resp.GetDeviceCode()) - if err != nil { - return err - } - - if err := c.OpenIDConnectRequestStorage.CreateOpenIDConnectSession(ctx, signature, dar.Sanitize(oidcParameters)); err != nil { - return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error())) - } - return nil } diff --git a/handler/openid/flow_device_auth_test.go b/handler/openid/flow_device_auth_test.go index 34bb3bbf..25ea3815 100644 --- a/handler/openid/flow_device_auth_test.go +++ b/handler/openid/flow_device_auth_test.go @@ -10,7 +10,6 @@ import ( "time" "github.com/ory/fosite/internal" - "github.com/pkg/errors" gomock "go.uber.org/mock/gomock" "github.com/stretchr/testify/require" @@ -101,26 +100,6 @@ func TestDeviceAuth_HandleDeviceEndpointRequest(t *testing.T) { authresp: &fosite.DeviceResponse{}, expectErr: fosite.ErrMisconfiguration, }, - { - description: "should fail because cannot create session", - authreq: &fosite.DeviceRequest{ - Request: fosite.Request{ - RequestedScope: fosite.Arguments{"openid", "email"}, - Client: client, - Session: session, - }, - }, - authresp: &fosite.DeviceResponse{ - DeviceCode: "device_code", - }, - setup: func(authreq *fosite.DeviceRequest) { - store. - EXPECT(). - CreateOpenIDConnectSession(gomock.Any(), gomock.Any(), gomock.Eq(authreq.Sanitize(oidcParameters))). - Return(errors.New("")) - }, - expectErr: fosite.ErrServerError, - }, { description: "should pass", authreq: &fosite.DeviceRequest{ @@ -133,12 +112,6 @@ func TestDeviceAuth_HandleDeviceEndpointRequest(t *testing.T) { authresp: &fosite.DeviceResponse{ DeviceCode: "device_code", }, - setup: func(authreq *fosite.DeviceRequest) { - store. - EXPECT(). - CreateOpenIDConnectSession(gomock.Any(), gomock.Any(), gomock.Eq(authreq.Sanitize(oidcParameters))). - Return(nil) - }, }, }