Implement RFC 8628

.github/workflows/oidc-conformity.yml

@@ -13,8 +13,8 @@ jobs:
         uses: actions/checkout@v2
         with:
           fetch-depth: 2
-          repository: ory/hydra
-          ref: 2866a0499d02341ed0603601cfe4e63b24506fcb
+          repository: canonical/hydra
+          ref: canonical-master
       - uses: actions/setup-go@v2
         with:
           go-version: "1.21"

access_error.go

@@ -10,11 +10,12 @@ import (
 	"net/http"
 )
 
-func (f *Fosite) WriteAccessError(ctx context.Context, rw http.ResponseWriter, req AccessRequester, err error) {
+// Convert an error to an http response as per RFC6749
+func (f *Fosite) WriteAccessError(ctx context.Context, rw http.ResponseWriter, req Requester, err error) {
 	f.writeJsonError(ctx, rw, req, err)
 }
 
-func (f *Fosite) writeJsonError(ctx context.Context, rw http.ResponseWriter, requester AccessRequester, err error) {
+func (f *Fosite) writeJsonError(ctx context.Context, rw http.ResponseWriter, requester Requester, err error) {
 	rw.Header().Set("Content-Type", "application/json;charset=UTF-8")
 	rw.Header().Set("Cache-Control", "no-store")
 	rw.Header().Set("Pragma", "no-cache")

access_error_test.go

@@ -11,9 +11,9 @@ import (
 	"net/http/httptest"
 	"testing"
 
-	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	gomock "go.uber.org/mock/gomock"
 
 	. "github.com/ory/fosite"
 	. "github.com/ory/fosite/internal"

access_request_handler_test.go

@@ -10,10 +10,10 @@ import (
 	"net/url"
 	"testing"
 
-	"github.com/golang/mock/gomock"
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	gomock "go.uber.org/mock/gomock"
 
 	. "github.com/ory/fosite"
 	"github.com/ory/fosite/internal"

access_response_writer_test.go

@@ -8,9 +8,9 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	gomock "go.uber.org/mock/gomock"
 
 	. "github.com/ory/fosite"
 	"github.com/ory/fosite/internal"

access_write_test.go

@@ -8,8 +8,8 @@ import (
 	"net/http"
 	"testing"
 
-	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"
+	gomock "go.uber.org/mock/gomock"
 
 	. "github.com/ory/fosite"
 	. "github.com/ory/fosite/internal"

audience_strategy.go

@@ -92,10 +92,10 @@ func GetAudiences(form url.Values) []string {
 	}
 }
 
-func (f *Fosite) validateAuthorizeAudience(ctx context.Context, r *http.Request, request *AuthorizeRequest) error {
-	audience := GetAudiences(request.Form)
+func (f *Fosite) validateAudience(ctx context.Context, r *http.Request, request Requester) error {
+	audience := GetAudiences(request.GetRequestForm())
 
-	if err := f.Config.GetAudienceStrategy(ctx)(request.Client.GetAudience(), audience); err != nil {
+	if err := f.Config.GetAudienceStrategy(ctx)(request.GetClient().GetAudience(), audience); err != nil {
 		return err
 	}
 

authorize_error_test.go

@@ -10,8 +10,8 @@ import (
 	"net/url"
 	"testing"
 
-	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"
+	gomock "go.uber.org/mock/gomock"
 
 	. "github.com/ory/fosite"
 	. "github.com/ory/fosite/internal"

authorize_request_handler.go

@@ -390,7 +390,7 @@ func (f *Fosite) newAuthorizeRequest(ctx context.Context, r *http.Request, isPAR
 		return request, err
 	}
 
-	if err = f.validateAuthorizeAudience(ctx, r, request); err != nil {
+	if err = f.validateAudience(ctx, r, request); err != nil {
 		return request, err
 	}
 

authorize_request_handler_test.go

@@ -10,10 +10,10 @@ import (
 	"net/url"
 	"testing"
 
-	"github.com/golang/mock/gomock"
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	gomock "go.uber.org/mock/gomock"
 
 	. "github.com/ory/fosite"
 	. "github.com/ory/fosite/internal"

authorize_response_writer_test.go

@@ -7,9 +7,9 @@ import (
 	"context"
 	"testing"
 
-	"github.com/golang/mock/gomock"
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
+	gomock "go.uber.org/mock/gomock"
 
 	"github.com/ory/fosite"
 	. "github.com/ory/fosite"

authorize_write_test.go

@@ -9,8 +9,8 @@ import (
 	"net/url"
 	"testing"
 
-	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"
+	gomock "go.uber.org/mock/gomock"
 
 	. "github.com/ory/fosite"
 	. "github.com/ory/fosite/internal"

compose/compose.go

@@ -53,6 +53,9 @@ func Compose(config *fosite.Config, storage interface{}, strategy interface{}, f
 		if ph, ok := res.(fosite.PushedAuthorizeEndpointHandler); ok {
 			config.PushedAuthorizeEndpointHandlers.Append(ph)
 		}
+		if dh, ok := res.(fosite.DeviceEndpointHandler); ok {
+			config.DeviceEndpointHandlers.Append(dh)
+		}
 	}
 
 	return f
@@ -68,6 +71,7 @@ func ComposeAllEnabled(config *fosite.Config, storage interface{}, key interface
 		storage,
 		&CommonStrategy{
 			CoreStrategy:               NewOAuth2HMACStrategy(config),
+			RFC8628CodeStrategy:        NewDeviceStrategy(config),
 			OpenIDConnectTokenStrategy: NewOpenIDConnectStrategy(keyGetter, config),
 			Signer:                     &jwt.DefaultSigner{GetPrivateKey: keyGetter},
 		},
@@ -77,11 +81,14 @@ func ComposeAllEnabled(config *fosite.Config, storage interface{}, key interface
 		OAuth2RefreshTokenGrantFactory,
 		OAuth2ResourceOwnerPasswordCredentialsFactory,
 		RFC7523AssertionGrantFactory,
+		RFC8628DeviceFactory,
+		RFC8628DeviceAuthorizationTokenFactory,
 
 		OpenIDConnectExplicitFactory,
 		OpenIDConnectImplicitFactory,
 		OpenIDConnectHybridFactory,
 		OpenIDConnectRefreshFactory,
+		OpenIDConnectDeviceFactory,
 
 		OAuth2TokenIntrospectionFactory,
 		OAuth2TokenRevocationFactory,

compose/compose_openid.go

@@ -7,6 +7,7 @@ import (
 	"github.com/ory/fosite"
 	"github.com/ory/fosite/handler/oauth2"
 	"github.com/ory/fosite/handler/openid"
+	"github.com/ory/fosite/handler/rfc8628"
 	"github.com/ory/fosite/token/jwt"
 )
 
@@ -79,3 +80,17 @@ func OpenIDConnectHybridFactory(config fosite.Configurator, storage interface{},
 		OpenIDConnectRequestValidator: openid.NewOpenIDConnectRequestValidator(strategy.(jwt.Signer), config),
 	}
 }
+
+// OpenIDConnectDeviceFactory creates an OpenID Connect device ("device code flow") grant handler.
+//
+// **Important note:** You must add this handler *after* you have added an OAuth2 device authorization handler!
+func OpenIDConnectDeviceFactory(config fosite.Configurator, storage interface{}, strategy interface{}) interface{} {
+	return &openid.OpenIDConnectDeviceHandler{
+		OpenIDConnectRequestStorage: storage.(openid.OpenIDConnectRequestStorage),
+		IDTokenHandleHelper: &openid.IDTokenHandleHelper{
+			IDTokenStrategy: strategy.(openid.OpenIDConnectTokenStrategy),
+		},
+		DeviceCodeStrategy: strategy.(rfc8628.DeviceCodeStrategy),
+		Config:             config,
+	}
+}

compose/compose_rfc8628.go

@@ -0,0 +1,37 @@
+// Copyright © 2024 Ory Corp
+// SPDX-License-Identifier: Apache-2.0
+
+// Package compose provides various objects which can be used to
+// instantiate OAuth2Providers with different functionality.
+package compose
+
+import (
+	"github.com/ory/fosite"
+	"github.com/ory/fosite/handler/oauth2"
+	"github.com/ory/fosite/handler/rfc8628"
+)
+
+// RFC8628DeviceFactory creates an OAuth2 device code grant ("Device Authorization Grant") handler and registers
+// a user code, device code, access token and a refresh token validator.
+func RFC8628DeviceFactory(config fosite.Configurator, storage interface{}, strategy interface{}) interface{} {
+	return &rfc8628.DeviceAuthHandler{
+		Strategy: strategy.(rfc8628.RFC8628CodeStrategy),
+		Storage:  storage.(rfc8628.RFC8628CoreStorage),
+		Config:   config,
+	}
+}
+
+// RFC8628DeviceAuthorizationTokenFactory creates an OAuth2 device authorization grant ("Device Authorization Grant") handler and registers
+// an access token, refresh token and authorize code validator.
+func RFC8628DeviceAuthorizationTokenFactory(config fosite.Configurator, storage interface{}, strategy interface{}) interface{} {
+	return &rfc8628.DeviceCodeTokenEndpointHandler{
+		DeviceRateLimitStrategy: strategy.(rfc8628.DeviceRateLimitStrategy),
+		DeviceCodeStrategy:      strategy.(rfc8628.DeviceCodeStrategy),
+		UserCodeStrategy:        strategy.(rfc8628.UserCodeStrategy),
+		AccessTokenStrategy:     strategy.(oauth2.AccessTokenStrategy),
+		RefreshTokenStrategy:    strategy.(oauth2.RefreshTokenStrategy),
+		CoreStorage:             storage.(rfc8628.RFC8628CoreStorage),
+		TokenRevocationStorage:  storage.(oauth2.TokenRevocationStorage),
+		Config:                  config,
+	}
+}

compose/compose_strategy.go

@@ -9,12 +9,14 @@ import (
 	"github.com/ory/fosite"
 	"github.com/ory/fosite/handler/oauth2"
 	"github.com/ory/fosite/handler/openid"
+	"github.com/ory/fosite/handler/rfc8628"
 	"github.com/ory/fosite/token/hmac"
 	"github.com/ory/fosite/token/jwt"
 )
 
 type CommonStrategy struct {
 	oauth2.CoreStrategy
+	rfc8628.RFC8628CodeStrategy
 	openid.OpenIDConnectTokenStrategy
 	jwt.Signer
 }
@@ -27,6 +29,7 @@ type HMACSHAStrategyConfigurator interface {
 	fosite.GlobalSecretProvider
 	fosite.RotatedGlobalSecretsProvider
 	fosite.HMACHashingProvider
+	fosite.DeviceAndUserCodeLifespanProvider
 }
 
 func NewOAuth2HMACStrategy(config HMACSHAStrategyConfigurator) *oauth2.HMACSHAStrategy {
@@ -47,3 +50,11 @@ func NewOpenIDConnectStrategy(keyGetter func(context.Context) (interface{}, erro
 		Config: config,
 	}
 }
+
+// Create a new device strategy
+func NewDeviceStrategy(config fosite.Configurator) *rfc8628.DefaultDeviceStrategy {
+	return &rfc8628.DefaultDeviceStrategy{
+		Enigma: &hmac.HMACStrategy{Config: config},
+		Config: config,
+	}
+}

config.go

@@ -46,6 +46,17 @@ type IDTokenLifespanProvider interface {
 	GetIDTokenLifespan(ctx context.Context) time.Duration
 }
 
+// DeviceAndUserCodeLifespanProvider returns the provider for configuring the device and user code lifespan
+type DeviceAndUserCodeLifespanProvider interface {
+	GetDeviceAndUserCodeLifespan(ctx context.Context) time.Duration
+}
+
+// DeviceAndUserCodeLifespanProvider returns the provider for configuring the device and user code lifespan
+type UserCodeProvider interface {
+	GetUserCodeLength(ctx context.Context) int
+	GetUserCodeSymbols(ctx context.Context) []rune
+}
+
 // ScopeStrategyProvider returns the provider for configuring the scope strategy.
 type ScopeStrategyProvider interface {
 	// GetScopeStrategy returns the scope strategy.
@@ -76,6 +87,12 @@ type DisableRefreshTokenValidationProvider interface {
 	GetDisableRefreshTokenValidation(ctx context.Context) bool
 }
 
+// DeviceProvider returns the provider for configuring the device flow
+type DeviceProvider interface {
+	GetDeviceVerificationURL(ctx context.Context) string
+	GetDeviceAuthTokenPollingInterval(ctx context.Context) time.Duration
+}
+
 // BCryptCostProvider returns the provider for configuring the BCrypt hash cost.
 type BCryptCostProvider interface {
 	// GetBCryptCost returns the BCrypt  hash cost.
@@ -306,3 +323,9 @@ type PushedAuthorizeRequestConfigProvider interface {
 	// must contain the PAR request_uri.
 	EnforcePushedAuthorize(ctx context.Context) bool
 }
+
+// DeviceEndpointHandlersProvider returns the provider for setting up the Device handlers.
+type DeviceEndpointHandlersProvider interface {
+	// GetDeviceEndpointHandlers returns the handlers.
+	GetDeviceEndpointHandlers(ctx context.Context) DeviceEndpointHandlers
+}