Use custom config endpoint

nkottary · nkottary · commit 2ac63250a55f · 2025-05-12T09:28:51.000Z
diff --git a/src/PkgAuthentication.jl b/src/PkgAuthentication.jl
@@ -183,48 +183,66 @@ function should_use_device_auth()
     return !isempty(get_device_auth_client_id())
 end
 
-function get_openid_configuration(state::NoAuthentication)
+# Query the /auth/configuration endpoint to get the refresh url and
+# device authentication endpoints. Returns a Dict with the following
+# fields:
+# - `device_flow_supported`::Bool: Indicates whether device flow is
+#   enabled on the server.
+# - `refresh_url`::String: The refresh URL for refreshing the auth
+#   token
+# - `device_authorization_endpoint`::String: The endpoint that must
+#   be called to initiate device flow authentication. This field is
+#   only present when device flow is enabled on the server.
+# - `token_endpoint`::String: The endpoint that should be called to
+#   retrieve the authentication token after the user has approved
+#   the authorization request. This field is only present when device
+#   flow is enabled on the server.
+function get_auth_configuration(state::NoAuthentication)
     output = IOBuffer()
+    auth_suffix = isempty(state.auth_suffix) ? "auth" : state.auth_suffix
     response = Downloads.request(
-        joinpath(state.server, ".well-known/openid-configuration"),
+        joinpath(state.server, auth_suffix, "configuration"),
         method = "GET",
         output = output,
         throw = false,
         headers = ["Accept" => "application/json"],
     )
 
+    def_resp = Dict{String, Any}(
+        "device_flow_supported" => false,
+        "refresh_url" => joinpath(state.server, auth_suffix, "renew/token.toml/v2/")
+    )
+
     if response isa Downloads.Response && response.status == 200
         body = nothing
         content = String(take!(output))
         try
             body = JSON.parse(content)
         catch ex
             @debug "Request for well known configuration returned: ", content
-            return false, "", ""
+            return def_resp
         end
 
         if body !== nothing
-            return true, body["device_authorization_endpoint"], body["token_endpoint"]
+	    @assert haskey(body, "device_flow_supported")
+	    @assert haskey(body, "refresh_url")
+	    @assert (body["device_flow_supported"] && haskey(body, "device_authorization_endpoint") && haskey(body, "token_endpoint")) || !body["device_flow_supported"]
+            return body
         end
     end
 
-    return false, "", ""
+    return def_resp
 end
 
 function step(state::NoAuthentication)::Union{RequestLogin, Failure}
-    token_endpoint = ""
-    device_endpoint = ""
-    if should_use_device_auth()
-        s, device_endpoint, token_endpoint = get_openid_configuration(state)
-        s || GenericError("Unable to get device and token endpoints")
-    end
-    success, challenge, body_or_response = if should_use_device_auth()
-        fetch_device_code(state, device_endpoint)
+    auth_config = get_auth_configuration(state)
+    success, challenge, body_or_response = if auth_config["device_flow_supported"]
+        fetch_device_code(state, auth_config["device_authorization_endpoint"])
     else
         initiate_browser_challenge(state)
     end
     if success
-        return RequestLogin(state.server, state.auth_suffix, challenge, body_or_response, token_endpoint)
+        return RequestLogin(state.server, state.auth_suffix, challenge, body_or_response, get(auth_config, "token_endpoint", ""), auth_config["refresh_url"])
     else
         return HttpError(body_or_response)
     end
@@ -251,7 +269,6 @@ function fetch_device_code(state::NoAuthentication, device_endpoint::AbstractStr
         end
 
         if body !== nothing
-            body["client"] = "device"
             return true, "", body
         end
     end
@@ -314,7 +331,6 @@ Base.show(io::IO, s::NeedRefresh) = print(io, "NeedRefresh($(s.server), $(s.auth
 function step(state::NeedRefresh)::Union{HasNewToken, NoAuthentication}
     refresh_token = state.token["refresh_token"]
     output = IOBuffer()
-    is_device = get(state.token, "client", nothing) == "device"
     response = Downloads.request(
         state.token["refresh_url"],
         method = "GET",
@@ -331,17 +347,15 @@ function step(state::NeedRefresh)::Union{HasNewToken, NoAuthentication}
                 assert_dict_keys(body, "expires_in"; msg=msg)
                 assert_dict_keys(body, "expires", "expires_at"; msg=msg)
             end
-            if is_device
-                body["client"] = "device"
-                # refresh_url and expires/expires_at will be present in this refreshed token
-                # so no need to manually add them here
-            end
+	    @info("Successfully refreshed token")
             return HasNewToken(state.server, body)
         catch err
             @debug "invalid body received while refreshing token" exception=(err, catch_backtrace())
         end
+        @info "Did not refresh token, could not json parse ", response
         return NoAuthentication(state.server, state.auth_suffix)
     else
+        @info "Did not refresh token, got non 200 response ", response
         @debug "request for refreshing token failed" response
         return NoAuthentication(state.server, state.auth_suffix)
     end
@@ -404,11 +418,12 @@ struct RequestLogin <: State
     challenge::String
     response::Union{String, Dict{String, Any}}
     token_endpoint::String
+    refresh_url::String
 end
-Base.show(io::IO, s::RequestLogin) = print(io, "RequestLogin($(s.server), $(s.auth_suffix), <REDACTED>, $(s.response), $(s.token_endpoint))")
+Base.show(io::IO, s::RequestLogin) = print(io, "RequestLogin($(s.server), $(s.auth_suffix), <REDACTED>, $(s.response), $(s.token_endpoint), $(s.refresh_url))")
 
 function step(state::RequestLogin)::Union{ClaimToken, Failure}
-    is_device = state.response isa Dict{String, Any} && get(state.response, "client", nothing) == "device"
+    is_device = !isempty(state.token_endpoint)
     url = if is_device
         string(state.response["verification_uri_complete"])
     else
@@ -418,9 +433,9 @@ function step(state::RequestLogin)::Union{ClaimToken, Failure}
     success = open_browser(url)
     if success && is_device
         # In case of device tokens, timeout for challenge is received in the initial request.
-        return ClaimToken(state.server, state.auth_suffix, state.challenge, state.response, Inf, time(), state.response["expires_in"], 2, 0, 10, state.token_endpoint)
+        return ClaimToken(state.server, state.auth_suffix, state.challenge, state.response, Inf, time(), state.response["expires_in"], 2, 0, 10, state.token_endpoint, state.refresh_url)
     elseif success
-        return ClaimToken(state.server, state.auth_suffix, state.challenge, state.response, state.token_endpoint)
+        return ClaimToken(state.server, state.auth_suffix, state.challenge, state.response, state.token_endpoint, state.refresh_url)
     else # this can only happen for the browser hook
         return GenericError("Failed to execute open_browser hook.")
     end
@@ -443,11 +458,12 @@ struct ClaimToken <: State
     failures::Int
     max_failures::Int
     token_endpoint::String
+    refresh_url::String
 end
-Base.show(io::IO, s::ClaimToken) = print(io, "ClaimToken($(s.server), $(s.auth_suffix), <REDACTED>, $(s.response), $(s.expiry), $(s.start_time), $(s.timeout), $(s.poll_interval), $(s.failures), $(s.max_failures), $(s.token_endpoint))")
+Base.show(io::IO, s::ClaimToken) = print(io, "ClaimToken($(s.server), $(s.auth_suffix), <REDACTED>, $(s.response), $(s.expiry), $(s.start_time), $(s.timeout), $(s.poll_interval), $(s.failures), $(s.max_failures), $(s.token_endpoint), $(s.refresh_url))")
 
-ClaimToken(server, auth_suffix, challenge, response, token_endpoint, expiry = Inf, failures = 0) =
-    ClaimToken(server, auth_suffix, challenge, response, expiry, time(), 180, 2, failures, 10, token_endpoint)
+ClaimToken(server, auth_suffix, challenge, response, token_endpoint, refresh_url, expiry = Inf, failures = 0) =
+    ClaimToken(server, auth_suffix, challenge, response, expiry, time(), 180, 2, failures, 10, token_endpoint, refresh_url)
 
 function step(state::ClaimToken)::Union{ClaimToken, HasNewToken, Failure}
     if time() > state.expiry || (time() - state.start_time)/1e6 > state.timeout # server-side or client-side timeout
@@ -461,7 +477,7 @@ function step(state::ClaimToken)::Union{ClaimToken, HasNewToken, Failure}
     sleep(state.poll_interval)
 
     output = IOBuffer()
-    is_device = state.response isa Dict{String, Any} && get(state.response, "client", nothing) == "device"
+    is_device = !isempty(state.token_endpoint)
     if is_device
         output = IOBuffer()
         response = Downloads.request(
@@ -490,25 +506,25 @@ function step(state::ClaimToken)::Union{ClaimToken, HasNewToken, Failure}
         body = try
             JSON.parse(String(take!(output)))
         catch err
-            return ClaimToken(state.server, state.auth_suffix, state.challenge, state.response, state.expiry, state.start_time, state.timeout, state.poll_interval, state.failures + 1, state.max_failures, state.token_endpoint)
+            return ClaimToken(state.server, state.auth_suffix, state.challenge, state.response, state.expiry, state.start_time, state.timeout, state.poll_interval, state.failures + 1, state.max_failures, state.token_endpoint, state.refresh_url)
         end
 
         if haskey(body, "token")
             return HasNewToken(state.server, body["token"])
         elseif haskey(body, "expiry") # time at which the response/challenge pair will expire on the server
-            return ClaimToken(state.server, state.auth_suffix, state.challenge, state.response, body["expiry"], state.start_time, state.timeout, state.poll_interval, state.failures, state.max_failures, state.token_endpoint)
+            return ClaimToken(state.server, state.auth_suffix, state.challenge, state.response, body["expiry"], state.start_time, state.timeout, state.poll_interval, state.failures, state.max_failures, state.token_endpoint, state.refresh_url)
         else
-            return ClaimToken(state.server, state.auth_suffix, state.challenge, state.response, state.expiry, state.start_time, state.timeout, state.poll_interval, state.failures + 1, state.max_failures, state.token_endpoint)
+            return ClaimToken(state.server, state.auth_suffix, state.challenge, state.response, state.expiry, state.start_time, state.timeout, state.poll_interval, state.failures + 1, state.max_failures, state.token_endpoint, state.refresh_url)
         end
     elseif response isa Downloads.Response && response.status == 200
         body = JSON.parse(String(take!(output)))
-        body["client"] = "device"
         body["expires"] = body["expires_in"] + Int(floor(time()))
         body["expires_at"] = body["expires"]
-        body["refresh_url"] = joinpath(state.server, "auth/renew/token.toml/device/") # Need to be careful with auth suffix, if set
+	@info("Setting refresh url to ", state.refresh_url)
+        body["refresh_url"] = state.refresh_url
         return HasNewToken(state.server, body)
     elseif response isa Downloads.Response && response.status in [401, 400] && is_device
-        return ClaimToken(state.server, state.auth_suffix, state.challenge, state.response, state.expiry, state.start_time, state.timeout, state.poll_interval, state.failures + 1, state.max_failures, state.token_endpoint)
+        return ClaimToken(state.server, state.auth_suffix, state.challenge, state.response, state.expiry, state.start_time, state.timeout, state.poll_interval, state.failures + 1, state.max_failures, state.token_endpoint, state.refresh_url)
     else
         return HttpError(response)
     end
diff --git a/test/authserver.jl b/test/authserver.jl
@@ -4,9 +4,12 @@ import TOML
 const EXPIRY = 30
 const CHALLENGE_EXPIRY = 10
 const PORT = 8888
+const LEGACY_MODE = 1
+const DEVICE_FLOW_MODE = 2
 
 const ID_TOKEN = Random.randstring(100)
 const TOKEN = Ref(Dict())
+const MODE = Ref(LEGACY_MODE)
 
 challenge_response_map = Dict()
 challenge_timeout = Dict()
@@ -99,18 +102,36 @@ function check_validity(req)
     return HTTP.Response(200, payload == TOKEN[])
 end
 
+function set_mode_legacy(req)
+    MODE[] = LEGACY_MODE
+    return HTTP.Response(200)
+end
 
+function set_mode_device(req)
+    MODE[] = DEVICE_FLOW_MODE
+    return HTTP.Response(200)
+end
 
-# --------- Device auth methods -----------------
-
-function openid_configuration(req)
-    return HTTP.Response(
-        200,
-        """ {
-            "device_authorization_endpoint": "http://localhost:8888/auth/device/code",
-            "token_endpoint": "http://localhost:8888/auth/token"
-        } """,
-    )
+function auth_configuration(req)
+    if MODE[] == LEGACY_MODE
+        return HTTP.Response(
+            200,
+            """ {
+                "device_flow_supported": false,
+                "refresh_url": "http://localhost:$PORT/auth/renew/token.toml/v2/"
+            } """,
+        )
+    else
+        return HTTP.Response(
+            200,
+            """ {
+                "device_flow_supported": true,
+                "refresh_url": "http://localhost:$PORT/auth/renew/token.toml/device/",
+                "device_authorization_endpoint": "http://localhost:$PORT/auth/device/code",
+                "token_endpoint": "http://localhost:$PORT/auth/token"
+            } """,
+        )
+    end
 end
 
 device_code_user_code_map = Dict{String, Any}()
@@ -126,7 +147,7 @@ function auth_device_code(req)
         """ {
             "device_code": "$device_code",
             "user_code": "$user_code",
-            "verification_uri_complete": "http://localhost:8888/auth/device?user_code=$user_code",
+            "verification_uri_complete": "http://localhost:$PORT/auth/device?user_code=$user_code",
             "expires_in": $CHALLENGE_EXPIRY
         } """,
     )
@@ -141,11 +162,11 @@ function auth_device(req)
     end
     authenticated[device_code] = true
     refresh_token = Random.randstring(10)
-    TOKEN[]["access_token"] = "full-$ID_TOKEN"
+    TOKEN[]["access_token"] = "device-$ID_TOKEN"
     TOKEN[]["token_type"] = "bearer"
     TOKEN[]["expires_in"] = EXPIRY
     TOKEN[]["refresh_token"] = refresh_token
-    TOKEN[]["id_token"] = "full-$ID_TOKEN"
+    TOKEN[]["id_token"] = "device-$ID_TOKEN"
     return HTTP.Response(200)
 end
 
@@ -169,11 +190,13 @@ HTTP.register!(router, "GET", "/auth/response", response_handler)
 HTTP.register!(router, "POST", "/auth/claimtoken", claimtoken_handler)
 HTTP.register!(router, "GET", "/auth/renew/token.toml/v2", renew_handler)
 HTTP.register!(router, "POST", "/auth/isvalid", check_validity)
-HTTP.register!(router, "GET", "/.well-known/openid-configuration", openid_configuration)
+HTTP.register!(router, "GET", "/auth/configuration", auth_configuration)
 HTTP.register!(router, "POST", "/auth/device/code", auth_device_code)
 HTTP.register!(router, "GET", "/auth/device", auth_device)
 HTTP.register!(router, "POST", "/auth/token", auth_token)
 HTTP.register!(router, "GET", "/auth/renew/token.toml/device", renew_handler)
+HTTP.register!(router, "POST", "/set_mode/legacy", set_mode_legacy)
+HTTP.register!(router, "POST", "/set_mode/device", set_mode_device)
 
 function run()
     println("starting server")
diff --git a/test/tests.jl b/test/tests.jl
@@ -61,17 +61,16 @@ PkgAuthentication.register_open_browser_hook(url -> HTTP.get(url))
     @test startswith(success2.token["id_token"], "refresh-")
 end
 
-ENV["JULIA_PKG_AUTHENTICATION_DEVICE_CLIENT_ID"] = "device"
-
 @testset "auth with running server (device flow)" begin
     delete_token()
+    HTTP.post(joinpath(test_pkg_server, "set_mode/device"))
 
     @info "testing inital auth"
     success = PkgAuthentication.authenticate(test_pkg_server)
 
     @test success isa PkgAuthentication.Success
     @test success.token["expires_at"] > time()
-    @test startswith(success.token["id_token"], "full-")
+    @test startswith(success.token["id_token"], "device-")
     @test !occursin("id_token", sprint(show, success))
 
     sleeptimer = ceil(Int, success.token["expires_at"]  - time() + 1)
@@ -85,9 +84,10 @@ ENV["JULIA_PKG_AUTHENTICATION_DEVICE_CLIENT_ID"] = "device"
     @test success2.token["expires_at"] > time()
     @test success2.token["refresh_token"] !== success.token["refresh_token"]
     @test startswith(success2.token["id_token"], "refresh-")
+
+    HTTP.post(joinpath(test_pkg_server, "set_mode/legacy"))
 end
 
-ENV["JULIA_PKG_AUTHENTICATION_DEVICE_CLIENT_ID"] = ""
 
 @testset "PkgAuthentication.install" begin
     delete_token()
