Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: implement RFC 8628 #3851

Open
wants to merge 33 commits into
base: master
Choose a base branch
from
+7,761 −328
Open

feat: implement RFC 8628 #3851

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
07b5313
chore: install fosite from branch (remove)
nsklikas Sep 25, 2024
f038745
fix: set utc expires_at
nsklikas Sep 25, 2024
366fe01
fix: add redirect_uri to test
nsklikas Sep 25, 2024
3211246
chore: update go.mod
nsklikas Sep 25, 2024
b9ccf06
fix: add rfc8628 providers to registry
nsklikas Feb 9, 2024
467d9c3
fix: update database schema
nsklikas Feb 9, 2024
8c11107
fix: update oauth persister logic
nsklikas Sep 24, 2024
09a00ee
feat: add device authorization endpoint handler
nsklikas Feb 9, 2024
27e029c
refactor: move logic to updateSessionWithRequest method
nsklikas Feb 28, 2024
f6da362
fix: rename device auth endpoint handler
nsklikas Feb 28, 2024
76fd069
feat: add device user verification handler
nsklikas Feb 28, 2024
a488e83
fix: implement device user verification logic
nsklikas Feb 28, 2024
a8233fb
feat: update flow
nsklikas Mar 1, 2024
1df9bcd
fix: add post device auth handler
nsklikas Mar 1, 2024
30678c2
feat: add consent handler for accepting a user_code
nsklikas Mar 1, 2024
a956f32
chore: add post_device_done to config schema
nsklikas Mar 7, 2024
554b5dc
chore: add e2e tests
nsklikas Mar 11, 2024
04ce2df
feat: token request handling for device flow
wood-push-melon Mar 23, 2024
5ebeb51
chore: update config
nsklikas Mar 21, 2024
d4391d9
fix: fix the OIDC token and refresh token issue for device flow
wood-push-melon Apr 11, 2024
0a2eadd
fix: update OpenID Connect session after user consent
wood-push-melon Apr 12, 2024
da85bb1
fix: add GetDeviceCodeSessionByRequestID method
nsklikas Apr 15, 2024
d874a9f
fix: return client_id to post_device page
nsklikas Apr 15, 2024
f1d6341
fix: update existing device session
nsklikas Apr 15, 2024
44ca5df
fix: update tests
nsklikas Apr 15, 2024
20e1fe3
fix: add device auth endpoint in discovery metadata
nsklikas Apr 23, 2024
b32093c
fix: make device grant lifetimes configurable
nsklikas Apr 25, 2024
1568863
test: update sql fixtures
nsklikas Apr 29, 2024
5b6cc1f
fix: perform device flow from CLI
nsklikas May 22, 2024
a5bb44b
fix: wrap db calls in transaction
nsklikas Jul 30, 2024
e897168
chore: fix license
nsklikas Sep 25, 2024
111eea0
chore: update sdk
nsklikas Sep 24, 2024
b7767f9
fix: duplicate user_code update
nsklikas Sep 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .schema/config.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -464,6 +464,11 @@
"description": "Sets the session cookie name. Use with care!",
"type": "object",
"properties": {
"device_csrf": {
"type": "string",
"title": "CSRF Cookie Name",
"default": "ory_hydra_device_csrf"
},
"login_csrf": {
"type": "string",
"title": "CSRF Cookie Name",
Expand Down
5 changes: 4 additions & 1 deletion ...dler-common-case=create_clients-case=0-description=basic_dynamic_client_registration.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,8 @@
"jwt_bearer_grant_access_token_lifespan": null,
"refresh_token_grant_id_token_lifespan": null,
"refresh_token_grant_access_token_lifespan": null,
"refresh_token_grant_refresh_token_lifespan": null
"refresh_token_grant_refresh_token_lifespan": null,
"device_authorization_grant_id_token_lifespan": null,
"device_authorization_grant_access_token_lifespan": null,
"device_authorization_grant_refresh_token_lifespan": null
}
5 changes: 4 additions & 1 deletion ...s/TestHandler-common-case=create_clients-case=1-description=basic_admin_registration.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,5 +34,8 @@
"jwt_bearer_grant_access_token_lifespan": null,
"refresh_token_grant_id_token_lifespan": null,
"refresh_token_grant_access_token_lifespan": null,
"refresh_token_grant_refresh_token_lifespan": null
"refresh_token_grant_refresh_token_lifespan": null,
"device_authorization_grant_id_token_lifespan": null,
"device_authorization_grant_access_token_lifespan": null,
"device_authorization_grant_refresh_token_lifespan": null
}
5 changes: 4 additions & 1 deletion ...apshots/TestHandler-common-case=create_clients-case=10-description=empty_ID_succeeds.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,8 @@
"jwt_bearer_grant_access_token_lifespan": null,
"refresh_token_grant_id_token_lifespan": null,
"refresh_token_grant_access_token_lifespan": null,
"refresh_token_grant_refresh_token_lifespan": null
"refresh_token_grant_refresh_token_lifespan": null,
"device_authorization_grant_id_token_lifespan": null,
"device_authorization_grant_access_token_lifespan": null,
"device_authorization_grant_refresh_token_lifespan": null
}
5 changes: 4 additions & 1 deletion ...ents-case=10-description=setting_skip_logout_consent_succeeds_for_admin_registration.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,5 +32,8 @@
"jwt_bearer_grant_access_token_lifespan": null,
"refresh_token_grant_id_token_lifespan": null,
"refresh_token_grant_access_token_lifespan": null,
"refresh_token_grant_refresh_token_lifespan": null
"refresh_token_grant_refresh_token_lifespan": null,
"device_authorization_grant_id_token_lifespan": null,
"device_authorization_grant_access_token_lifespan": null,
"device_authorization_grant_refresh_token_lifespan": null
}
5 changes: 4 additions & 1 deletion ...apshots/TestHandler-common-case=create_clients-case=12-description=empty_ID_succeeds.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,5 +32,8 @@
"jwt_bearer_grant_access_token_lifespan": null,
"refresh_token_grant_id_token_lifespan": null,
"refresh_token_grant_access_token_lifespan": null,
"refresh_token_grant_refresh_token_lifespan": null
"refresh_token_grant_refresh_token_lifespan": null,
"device_authorization_grant_id_token_lifespan": null,
"device_authorization_grant_access_token_lifespan": null,
"device_authorization_grant_refresh_token_lifespan": null
}
5 changes: 4 additions & 1 deletion ...napshots/TestHandler-common-case=create_clients-case=2-description=empty_ID_succeeds.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,5 +30,8 @@
"jwt_bearer_grant_access_token_lifespan": null,
"refresh_token_grant_id_token_lifespan": null,
"refresh_token_grant_access_token_lifespan": null,
"refresh_token_grant_refresh_token_lifespan": null
"refresh_token_grant_refresh_token_lifespan": null,
"device_authorization_grant_id_token_lifespan": null,
"device_authorization_grant_access_token_lifespan": null,
"device_authorization_grant_refresh_token_lifespan": null
}
5 changes: 4 additions & 1 deletion .../.snapshots/TestHandler-common-case=create_clients-case=4-description=non-uuid_works.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,5 +34,8 @@
"jwt_bearer_grant_access_token_lifespan": null,
"refresh_token_grant_id_token_lifespan": null,
"refresh_token_grant_access_token_lifespan": null,
"refresh_token_grant_refresh_token_lifespan": null
"refresh_token_grant_refresh_token_lifespan": null,
"device_authorization_grant_id_token_lifespan": null,
"device_authorization_grant_access_token_lifespan": null,
"device_authorization_grant_refresh_token_lifespan": null
}
5 changes: 4 additions & 1 deletion ...andler-common-case=create_clients-case=5-description=setting_client_id_as_uuid_works.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,5 +34,8 @@
"jwt_bearer_grant_access_token_lifespan": null,
"refresh_token_grant_id_token_lifespan": null,
"refresh_token_grant_access_token_lifespan": null,
"refresh_token_grant_refresh_token_lifespan": null
"refresh_token_grant_refresh_token_lifespan": null,
"device_authorization_grant_id_token_lifespan": null,
"device_authorization_grant_access_token_lifespan": null,
"device_authorization_grant_refresh_token_lifespan": null
}
5 changes: 4 additions & 1 deletion ...reate_clients-case=7-description=setting_skip_consent_suceeds_for_admin_registration.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,8 @@
"jwt_bearer_grant_access_token_lifespan": null,
"refresh_token_grant_id_token_lifespan": null,
"refresh_token_grant_access_token_lifespan": null,
"refresh_token_grant_refresh_token_lifespan": null
"refresh_token_grant_refresh_token_lifespan": null,
"device_authorization_grant_id_token_lifespan": null,
"device_authorization_grant_access_token_lifespan": null,
"device_authorization_grant_refresh_token_lifespan": null
}
5 changes: 4 additions & 1 deletion ...napshots/TestHandler-common-case=create_clients-case=8-description=empty_ID_succeeds.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,5 +30,8 @@
"jwt_bearer_grant_access_token_lifespan": null,
"refresh_token_grant_id_token_lifespan": null,
"refresh_token_grant_access_token_lifespan": null,
"refresh_token_grant_refresh_token_lifespan": null
"refresh_token_grant_refresh_token_lifespan": null,
"device_authorization_grant_id_token_lifespan": null,
"device_authorization_grant_access_token_lifespan": null,
"device_authorization_grant_refresh_token_lifespan": null
}
5 changes: 4 additions & 1 deletion ...eate_clients-case=8-description=setting_skip_consent_succeeds_for_admin_registration.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,5 +32,8 @@
"jwt_bearer_grant_access_token_lifespan": null,
"refresh_token_grant_id_token_lifespan": null,
"refresh_token_grant_access_token_lifespan": null,
"refresh_token_grant_refresh_token_lifespan": null
"refresh_token_grant_refresh_token_lifespan": null,
"device_authorization_grant_id_token_lifespan": null,
"device_authorization_grant_access_token_lifespan": null,
"device_authorization_grant_refresh_token_lifespan": null
}
5 changes: 4 additions & 1 deletion ...reate_clients-case=8-description=setting_skip_consent_suceeds_for_admin_registration.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,8 @@
"jwt_bearer_grant_access_token_lifespan": null,
"refresh_token_grant_id_token_lifespan": null,
"refresh_token_grant_access_token_lifespan": null,
"refresh_token_grant_refresh_token_lifespan": null
"refresh_token_grant_refresh_token_lifespan": null,
"device_authorization_grant_id_token_lifespan": null,
"device_authorization_grant_access_token_lifespan": null,
"device_authorization_grant_refresh_token_lifespan": null
}
5 changes: 4 additions & 1 deletion ...napshots/TestHandler-common-case=create_clients-case=9-description=empty_ID_succeeds.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,8 @@
"jwt_bearer_grant_access_token_lifespan": null,
"refresh_token_grant_id_token_lifespan": null,
"refresh_token_grant_access_token_lifespan": null,
"refresh_token_grant_refresh_token_lifespan": null
"refresh_token_grant_refresh_token_lifespan": null,
"device_authorization_grant_id_token_lifespan": null,
"device_authorization_grant_access_token_lifespan": null,
"device_authorization_grant_refresh_token_lifespan": null
}
5 changes: 4 additions & 1 deletion client/.snapshots/TestHandler-common-case=fetching_existing_client-endpoint=admin.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,10 @@
"jwt_bearer_grant_access_token_lifespan": null,
"refresh_token_grant_id_token_lifespan": null,
"refresh_token_grant_access_token_lifespan": null,
"refresh_token_grant_refresh_token_lifespan": null
"refresh_token_grant_refresh_token_lifespan": null,
"device_authorization_grant_id_token_lifespan": null,
"device_authorization_grant_access_token_lifespan": null,
"device_authorization_grant_refresh_token_lifespan": null
},
"status": 200
}
5 changes: 4 additions & 1 deletion client/.snapshots/TestHandler-common-case=fetching_existing_client-endpoint=selfservice.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,10 @@
"jwt_bearer_grant_access_token_lifespan": null,
"refresh_token_grant_id_token_lifespan": null,
"refresh_token_grant_access_token_lifespan": null,
"refresh_token_grant_refresh_token_lifespan": null
"refresh_token_grant_refresh_token_lifespan": null,
"device_authorization_grant_id_token_lifespan": null,
"device_authorization_grant_access_token_lifespan": null,
"device_authorization_grant_refresh_token_lifespan": null
},
"status": 200
}
5 changes: 4 additions & 1 deletion client/.snapshots/TestHandler-common-case=update_the_lifespans_of_an_OAuth2_client.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,10 @@
"jwt_bearer_grant_access_token_lifespan": "37h0m0s",
"refresh_token_grant_id_token_lifespan": "40h0m0s",
"refresh_token_grant_access_token_lifespan": "41h0m0s",
"refresh_token_grant_refresh_token_lifespan": "42h0m0s"
"refresh_token_grant_refresh_token_lifespan": "42h0m0s",
"device_authorization_grant_id_token_lifespan": "45h0m0s",
"device_authorization_grant_access_token_lifespan": "46h0m0s",
"device_authorization_grant_refresh_token_lifespan": "47h0m0s"
},
"status": 200
}
5 changes: 4 additions & 1 deletion client/.snapshots/TestHandler-common-case=updating_existing_client-endpoint=admin.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,10 @@
"jwt_bearer_grant_access_token_lifespan": null,
"refresh_token_grant_id_token_lifespan": null,
"refresh_token_grant_access_token_lifespan": null,
"refresh_token_grant_refresh_token_lifespan": null
"refresh_token_grant_refresh_token_lifespan": null,
"device_authorization_grant_id_token_lifespan": null,
"device_authorization_grant_access_token_lifespan": null,
"device_authorization_grant_refresh_token_lifespan": null
},
"status": 200
}
5 changes: 4 additions & 1 deletion ...estHandler-common-case=updating_existing_client-endpoint=dynamic_client_registration.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,10 @@
"jwt_bearer_grant_access_token_lifespan": null,
"refresh_token_grant_id_token_lifespan": null,
"refresh_token_grant_access_token_lifespan": null,
"refresh_token_grant_refresh_token_lifespan": null
"refresh_token_grant_refresh_token_lifespan": null,
"device_authorization_grant_id_token_lifespan": null,
"device_authorization_grant_access_token_lifespan": null,
"device_authorization_grant_refresh_token_lifespan": null
},
"status": 200
}
5 changes: 4 additions & 1 deletion client/.snapshots/TestHandler-create_client_registration_tokens-case=0-dynamic=true.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,5 +27,8 @@
"jwt_bearer_grant_access_token_lifespan": null,
"refresh_token_grant_id_token_lifespan": null,
"refresh_token_grant_access_token_lifespan": null,
"refresh_token_grant_refresh_token_lifespan": null
"refresh_token_grant_refresh_token_lifespan": null,
"device_authorization_grant_id_token_lifespan": null,
"device_authorization_grant_access_token_lifespan": null,
"device_authorization_grant_refresh_token_lifespan": null
}
5 changes: 4 additions & 1 deletion client/.snapshots/TestHandler-create_client_registration_tokens-case=1-dynamic=false.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,5 +27,8 @@
"jwt_bearer_grant_access_token_lifespan": null,
"refresh_token_grant_id_token_lifespan": null,
"refresh_token_grant_access_token_lifespan": null,
"refresh_token_grant_refresh_token_lifespan": null
"refresh_token_grant_refresh_token_lifespan": null,
"device_authorization_grant_id_token_lifespan": null,
"device_authorization_grant_access_token_lifespan": null,
"device_authorization_grant_refresh_token_lifespan": null
}
5 changes: 4 additions & 1 deletion client/.snapshots/TestHandler-create_client_registration_tokens-case=2-dynamic=false.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,5 +28,8 @@
"jwt_bearer_grant_access_token_lifespan": null,
"refresh_token_grant_id_token_lifespan": null,
"refresh_token_grant_access_token_lifespan": null,
"refresh_token_grant_refresh_token_lifespan": null
"refresh_token_grant_refresh_token_lifespan": null,
"device_authorization_grant_id_token_lifespan": null,
"device_authorization_grant_access_token_lifespan": null,
"device_authorization_grant_refresh_token_lifespan": null
}
24 changes: 24 additions & 0 deletions client/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,7 @@ type Client struct {
// - OpenID Connect Implicit Grant (deprecated!): `implicit`
// - Refresh Token Grant: `refresh_token`
// - OAuth 2.0 Token Exchange: `urn:ietf:params:oauth:grant-type:jwt-bearer`
// - OAuth 2.0 Device Code Grant: `urn:ietf:params:oauth:grant-type:device_code`
GrantTypes sqlxx.StringSliceJSONFormat `json:"grant_types" db:"grant_types"`

// OAuth 2.0 Client Response Types
Expand Down Expand Up @@ -379,6 +380,21 @@ type Lifespans struct {
//
// The lifespan of a refresh token issued by the OAuth2 2.0 Refresh Token Grant for this OAuth 2.0 Client.
RefreshTokenGrantRefreshTokenLifespan x.NullDuration `json:"refresh_token_grant_refresh_token_lifespan,omitempty" db:"refresh_token_grant_refresh_token_lifespan"`

// OAuth2 2.0 Device Authorization Grant ID Token Lifespan
//
// The lifespan of an ID token issued by the OAuth2 2.0 Device Authorization Grant for this OAuth 2.0 Client.
DeviceAuthorizationGrantIDTokenLifespan x.NullDuration `json:"device_authorization_grant_id_token_lifespan,omitempty" db:"device_authorization_grant_id_token_lifespan"`

// OAuth2 2.0 Device Authorization Grant Access Token Lifespan
//
// The lifespan of an access token issued by the OAuth2 2.0 Device Authorization Grant for this OAuth 2.0 Client.
DeviceAuthorizationGrantAccessTokenLifespan x.NullDuration `json:"device_authorization_grant_access_token_lifespan,omitempty" db:"device_authorization_grant_access_token_lifespan"`

// OAuth2 2.0 Device Authorization Grant Device Authorization Lifespan
//
// The lifespan of a Device Authorization issued by the OAuth2 2.0 Device Authorization Grant for this OAuth 2.0 Client.
DeviceAuthorizationGrantRefreshTokenLifespan x.NullDuration `json:"device_authorization_grant_refresh_token_lifespan,omitempty" db:"device_authorization_grant_refresh_token_lifespan"`
}

func (Client) TableName() string {
Expand Down Expand Up @@ -549,6 +565,14 @@ func (c *Client) GetEffectiveLifespan(gt fosite.GrantType, tt fosite.TokenType,
} else if tt == fosite.RefreshToken && c.RefreshTokenGrantRefreshTokenLifespan.Valid {
cl = &c.RefreshTokenGrantRefreshTokenLifespan.Duration
}
} else if gt == fosite.GrantTypeDeviceCode {
if tt == fosite.AccessToken && c.DeviceAuthorizationGrantAccessTokenLifespan.Valid {
cl = &c.DeviceAuthorizationGrantAccessTokenLifespan.Duration
} else if tt == fosite.IDToken && c.DeviceAuthorizationGrantIDTokenLifespan.Valid {
cl = &c.DeviceAuthorizationGrantIDTokenLifespan.Duration
} else if tt == fosite.RefreshToken && c.DeviceAuthorizationGrantRefreshTokenLifespan.Valid {
cl = &c.DeviceAuthorizationGrantRefreshTokenLifespan.Duration
}
}

if cl == nil {
Expand Down
2 changes: 2 additions & 0 deletions client/registry.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (

"github.com/ory/fosite"
foauth2 "github.com/ory/fosite/handler/oauth2"
"github.com/ory/fosite/handler/rfc8628"
enigma "github.com/ory/fosite/token/hmac"
"github.com/ory/hydra/v2/jwk"
"github.com/ory/hydra/v2/x"
Expand All @@ -25,5 +26,6 @@ type Registry interface {
OpenIDJWTStrategy() jwk.JWTSigner
OAuth2HMACStrategy() foauth2.CoreStrategy
OAuth2EnigmaStrategy() *enigma.HMACStrategy
RFC8628HMACStrategy() rfc8628.RFC8628CodeStrategy
config.Provider
}
Loading
Loading