Add device authorization grant (device code flow - rfc 8628) #1539
Conversation
duzumaki
force-pushed
the
add-device-flow
branch
2 times, most recently
from
85991ac to
87bbf79
Compare
This model represents the device session for the request and response stage See section 3.1(https://datatracker.ietf.org/doc/html/rfc8628#section-3.1) and 3.2(https://datatracker.ietf.org/doc/html/rfc8628#section-3.2)
duzumaki
force-pushed
the
add-device-flow
branch
from
d3988ee to
377c07d
Compare
Django represents headers according to the common gateway interface(CGI) standard. This means it's in all caps with words divided with a hyphen However a lot of libraries follow the pattern of Something-Something so this ensures the header is set correctly so libraries like oauthlib can read it
This method calls the server's create_device_authorization_response method (https://datatracker.ietf.org/doc/html/rfc8628#section-3.2) and is returns to the caller the information adhering to the rfc
The device flow is initiated by sending the client_id and and a scope. This check should not fail if the client is public
OAUTH_DEVICE_VERIFICATION_URI = the uri that comes back from the response so the user knows where to go to. e.g example.com/device OAUTH_DEVICE_USER_CODE_GENERATOR = Allows a custom callable to be passed in to control how the user code is generated, stored in the db and returned back to the caller DEVICE_MODEL = the device model DEVICE_FLOW_INTERVAL = The time in seconds to wait before the device should poll again
This view is to be used in an authorization server in order to provide a /device endpoint
The grant type for device code is 44 characters
This commit will not be merged(I think). Currently oauthlib is due a release so I'm pointing this to master
duzumaki
force-pushed
the
add-device-flow
branch
from
7106e6f to
816db6e
Compare
duzumaki
force-pushed
the
add-device-flow
branch
from
d94410c to
acc1753
Compare
for more information, see https://pre-commit.ci
There was a problem hiding this comment.
This looks excellent, Only one thing grabbed my attention in my cursory code review, the type of the request parameter. Take a moment to double check that type. I've been bitten by OAuthLib's recasting of Request on a number of occasions. I hope to get time to more thoroughly review this by the end of the week
| @@ -148,6 +151,16 @@ def create_authorization_response(self, request, scopes, credentials, allow): | |||
| except oauth2.OAuth2Error as error: | |||
| raise OAuthToolkitError(error=error, redirect_uri=credentials["redirect_uri"]) | |||
|
|
|||
| def create_device_authorization_response(self, request: HttpRequest): | |||
There was a problem hiding this comment.
Are you sure this is a django.http.HttpRequest and not an oauthlib.common.Request?
There was a problem hiding this comment.
This looks awesome! I left some comments even though I'm not a maintainer, I'm just an excited downstream user :). If you're too busy to address any of my feedback let me know, I'd be happy to spend some time on it.
I got this up and running locally and was able to complete the authorization flow. Other than the comments I left inline, I have a few thoughts.
- Were you planning on adding a default view and template to complete the flow, similar to the way other grant types operate? Obviously the device flow user interaction can be highly customized, but I think a simple view could provide a decent out of the box experience. This was the code I wrote on my application to test this end-to-end:
from oauthlib.oauth2.rfc8628.errors import (
AccessDenied,
ExpiredTokenError,
)
from oauth2_provider.models import get_device_model
from django import forms
class DeviceForm(forms.Form):
user_code = forms.CharField(required=True)
@login_required
def oauth_device_authenticate(request):
form = DeviceForm(request.POST or None)
if request.method == "POST" and form.is_valid():
user_code = form.cleaned_data["user_code"]
device = get_device_model().objects.filter(user_code=user_code).first()
if device is None:
form.add_error("user_code", "Incorrect user code")
else:
if timezone.now() > device.expires:
device.status = device.EXPIRED
device.save(update_fields=["status"])
raise ExpiredTokenError
if device.status in (device.DENIED, device.AUTHORIZED):
raise AccessDenied
if device.user_code == user_code:
device.status = device.AUTHORIZED
device.save(update_fields=["status"])
return HttpResponseRedirect(reverse("oauth-device-authenticate-success"))
return render(request, "device_authenticate.html", {"form": form})
@login_required
def oauth_device_authenticate_success(request):
return render(request, "device_authenticate_success.html")-
Likewise, are downstreams expected to implement their own
/tokenendpoint? -
Should DOT be a little bit more opinionated about how to generate things like
user_code? There seems to be a good bit in the RFC (6.1) about best practices that we could encode for downstreams: e.g. using a shorter code with enough entropy that has readable characters and is compared case-insensitively.
Thanks again for all this work :)
| id = models.BigAutoField(primary_key=True) | ||
| device_code = models.CharField(max_length=100, unique=True) | ||
| user_code = models.CharField(max_length=100) | ||
| scope = models.CharField(max_length=64, default="openid") |
There was a problem hiding this comment.
Why is scope mandatory and defaults to openid? Is there a reason it should deviate from what AbstractGrant does?
| constraints = [ | ||
| models.UniqueConstraint( | ||
| fields=["device_code"], | ||
| name="unique_device_code", |
There was a problem hiding this comment.
| name="unique_device_code", | |
| name="%(app_label)s_%(class)s_unique_device_code", |
|
|
||
| @dataclass | ||
| class DeviceCodeResponse: | ||
| verification_uri: str |
There was a problem hiding this comment.
Should there perhaps be some way of configuring verification_uri_complete similar to verification_uri? That way clients wanting to use a QR code won't have to do their own URI assembly.
| instance. | ||
| :param request: The current django.http.HttpRequest object | ||
| """ | ||
| oauth2_settings.EXTRA_SERVER_KWARGS = { |
There was a problem hiding this comment.
Should this be moved into OAuth2ProviderSettings.server_kwargs where the rest of these are set? It seems like this might cause issues depending on the order of requests when the OAuthlibCore instance is cached.
| headers, response, status = self.create_device_authorization_response(request) | ||
|
|
||
| device_request = DeviceRequest( | ||
| client_id=request.POST["client_id"], scope=request.POST.get("scope", oauth2_settings.READ_SCOPE) |
There was a problem hiding this comment.
Should this default to leaving the scope empty?
| @@ -650,11 +654,93 @@ class Meta(AbstractIDToken.Meta): | |||
| swappable = "OAUTH2_PROVIDER_ID_TOKEN_MODEL" | |||
|
|
|||
|
|
|||
| class AbstractDevice(models.Model): | |||
There was a problem hiding this comment.
Maybe this should be named AbstractDeviceGrant?
| # there should only be one | ||
| device: Device = get_device_model().objects.get(user_code=user_code) | ||
|
|
||
| if datetime.now(tz=UTC) > device.expires: |
There was a problem hiding this comment.
Should the Device/DeviceGrant have an is_expired method similar to Grant so downstreams don't have to reimplement?
| return http.HttpResponseRedirect(...) | ||
|
|
||
| # user is logged in and typed the user code in correctly. redirect to the the approve deny endpoint now | ||
| return http.HttpResponseRedirect(reverse("device-confirm", kwargs={"device_code": device.device_code})) |
There was a problem hiding this comment.
This issues a redirect but the example endpoint expects POST data.
| return self.get(client_id=client_id, device_code=device_code, user_code=user_code) | ||
|
|
||
|
|
||
| class Device(AbstractDevice): |
| status = models.CharField( | ||
| max_length=64, blank=True, choices=DEVICE_FLOW_STATUS, default=AUTHORIZATION_PENDING | ||
| ) | ||
| client_id = models.CharField(max_length=100, default=generate_client_id, db_index=True) |
There was a problem hiding this comment.
Is there a reason this generates its own client_id instead of pointing to an Application that has one? I'm not too familiar with this part of the codebase so feel free to ignore.
Note to reviewers: I've made this a "commit by commit" pr which means it's easier to review the pr if you go commit by commit rather than look at all files changed at once
Fixes #962
Description of the Change
Checklist
CHANGELOG.mdupdated (only for user relevant changes)AUTHORS