fix: fetch token scope from discovery endpoint

mortenpi · mortenpi · commit e82dd3e31428 · 2025-06-10T21:59:00.000+03:00
diff --git a/Project.toml b/Project.toml
@@ -1,7 +1,7 @@
 name = "PkgAuthentication"
 uuid = "4722fa14-9d28-45f9-a1e2-a38605bd88f0"
 authors = ["Sebastian Pfitzner", "contributors"]
-version = "2.2.0"
+version = "2.2.1"
 
 [deps]
 Downloads = "f43a241f-c20a-4ad4-852c-f6b1247861c6"
diff --git a/docs/auth-flows.md b/docs/auth-flows.md
@@ -106,16 +106,31 @@ When device authentication is not supported by the server the response body MAY
 }
 ```
 
+If the `auth_flows` property is present, it MUST be an array of strings.
+If it is missing, it is assumed to have the value `["classic"]`.
+
 In this case, PkgAuthentication will execute the Classic Authentication Flow.
 
-When device authentication _is_ supported by the server, the response body MUST contain:
+When device authentication _is_ supported by the server, the response body MUST contain the `auth_flows` property, and the array MUST contain the value `device`.
+Additionally, the response body MUST contain the following properties:
+
+- `device_authorization_endpoint`: URL to be used to initiate the device authentication flow.
+- `device_token_endpoint`: URL to be used to exchange the device code for a token.
+- `device_token_refresh_url`: URL that can be used to refresh the token.
+
+Furthermore, the response body MAY contain the following properties:
+
+- `device_token_scope`: Scope to be used when requesting a token. If missing, the scope will be omitted from the device token request.
+
+An example of a possible valid response body:
 
 ```json
 {
   "auth_flows": ["classic", "device"],
   "device_token_refresh_url": "https://juliahub.com/auth/renew/token.toml/device/",
   "device_authorization_endpoint": "https://auth.juliahub.com/auth/device/code",
-  "device_token_endpoint": "https://auth.juliahub.com/auth/token"
+  "device_token_endpoint": "https://auth.juliahub.com/auth/token",
+  "device_token_scope": "openid email profile offline_access"
 }
 ```
 
diff --git a/src/PkgAuthentication.jl b/src/PkgAuthentication.jl
@@ -248,8 +248,9 @@ end
 
 function step(state::NoAuthentication)::Union{RequestLogin, Failure}
     auth_config = get_auth_configuration(state)
+    scope = get(auth_config, "device_token_scope", nothing)
     success, challenge, body_or_response = if "device" in get(auth_config, "auth_flows", [])
-        fetch_device_code(state, auth_config["device_authorization_endpoint"])
+        fetch_device_code(state, auth_config["device_authorization_endpoint"], scope)
     else
         initiate_browser_challenge(state)
     end
@@ -267,14 +268,14 @@ function step(state::NoAuthentication)::Union{RequestLogin, Failure}
     end
 end
 
-function fetch_device_code(state::NoAuthentication, device_endpoint::AbstractString)
+function fetch_device_code(state::NoAuthentication, device_endpoint::AbstractString, device_scope::Union{AbstractString, Nothing})
     output = IOBuffer()
     response = Downloads.request(
         device_endpoint,
         method = "POST",
         input = device_token_request_body(
             client_id = device_client_id(),
-            scope = "openid profile offline_access",
+            scope = device_scope,
         ),
         output = output,
         throw = false,
