SecureAuthCorp
diff --git a/‎README.md‎
Lines changed: 22 additions & 1 deletion b/‎README.md‎
Lines changed: 22 additions & 1 deletion
diff --git a/‎cmd/oauth2.go‎
Lines changed: 2 additions & 0 deletions b/‎cmd/oauth2.go‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎cmd/oauth2_device.go‎
Lines changed: 99 additions & 0 deletions b/‎cmd/oauth2_device.go‎
Lines changed: 99 additions & 0 deletions
diff --git a/‎internal/oauth2/error.go‎
Lines changed: 5 additions & 0 deletions b/‎internal/oauth2/error.go‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎internal/oauth2/jwk.go‎
Lines changed: 64 additions & 0 deletions b/‎internal/oauth2/jwk.go‎
Lines changed: 64 additions & 0 deletions
diff --git a/‎internal/oauth2/jwk_test.go‎
Lines changed: 15 additions & 0 deletions b/‎internal/oauth2/jwk_test.go‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎internal/oauth2/jwt.go‎
Lines changed: 117 additions & 1 deletion b/‎internal/oauth2/jwt.go‎
Lines changed: 117 additions & 1 deletion
@@ -220,13 +220,34 @@ sending the user's credentials to the OAuth2 server.
 oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
   --client-id cauktionbud6q8ftlqq0 \
   --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \
-  --grant-type password --username demo --password demo \
+  --grant-type password \
+  --username demo \
+  --password demo \
   --auth-method client_secret_basic \
   --scopes openid
 ```
 
 [Learn more about the password flow](https://cloudentity.com/developers/basics/oauth-grant-types/resource-owner-password-credentials/)
 
+#### Device
+
+This grant type is a two-step process that allows a user to grant access to their data without
+having to enter a username and password. In the first step, the user grants permission for the client to access
+their data. In the second step, the client exchanges the authorization code received in the first step for an
+access token. This grant type is commonly used in server-side applications, such as when accessing a device
+from a TV or other non-interactive device.
+
+``` sh
+oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
+  --client-id cauktionbud6q8ftlqq0 \
+  --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \
+  --grant-type urn:ietf:params:oauth:grant-type:device_code \
+  --auth-method client_secret_basic \
+  --scopes openid,email,offline_access
+```
+
+[Learn more about the device flow](https://cloudentity.com/developers/basics/oauth-grant-types/device/)
+
 #### JWT Bearer
 
 This grant type involves the client providing a JSON Web Token (JWT) to the OAuth2 server, which then returns
 
@@ -179,6 +179,8 @@ func (c *OAuth2Cmd) Authorize(clientConfig oauth2.ClientConfig, hc *http.Client)
 		return c.JWTBearerGrantFlow(clientConfig, serverConfig, hc)
 	case oauth2.TokenExchangeGrantType:
 		return c.TokenExchangeGrantFlow(clientConfig, serverConfig, hc)
+	case oauth2.DeviceGrantType:
+		return c.DeviceGrantFlow(clientConfig, serverConfig, hc)
 	}
 
 	return fmt.Errorf("Unknown grant type: %s", clientConfig.GrantType)
 
@@ -0,0 +1,99 @@
+package cmd
+
+import (
+	"context"
+	"errors"
+	"net/http"
+	"time"
+
+	"github.com/cloudentity/oauth2c/internal/oauth2"
+	"github.com/pkg/browser"
+)
+
+func (c *OAuth2Cmd) DeviceGrantFlow(clientConfig oauth2.ClientConfig, serverConfig oauth2.ServerConfig, hc *http.Client) error {
+	var (
+		authorizationRequest  oauth2.Request
+		authorizationResponse oauth2.DeviceAuthorizationResponse
+		tokenRequest          oauth2.Request
+		tokenResponse         oauth2.TokenResponse
+		err                   error
+	)
+
+	LogHeader("Device Flow")
+
+	// device authorization endpoint
+	LogSection("Request device authorization")
+
+	if authorizationRequest, authorizationResponse, err = oauth2.RequestDeviceAuthorization(context.Background(), clientConfig, serverConfig, hc); err != nil {
+		return err
+	}
+
+	LogRequestAndResponse(authorizationRequest, authorizationResponse)
+
+	Logfln("\nOpen the following URL:\n\n%s\n", authorizationResponse.VerificationURIComplete)
+
+	if err = browser.OpenURL(authorizationResponse.VerificationURIComplete); err != nil {
+		LogError(err)
+	}
+
+	Logln()
+
+	// polling
+	tokenStatus := LogAction("Waiting for token. Go to the browser to authenticate...")
+
+	ticker := time.NewTicker(time.Duration(authorizationResponse.Interval) * time.Second)
+	done := make(chan error)
+
+	go func() {
+		var oauth2Error *oauth2.Error
+
+		defer close(done)
+
+		for {
+			select {
+			case <-done:
+				return
+			case <-ticker.C:
+				if tokenRequest, tokenResponse, err = oauth2.RequestToken(
+					context.Background(),
+					clientConfig,
+					serverConfig,
+					hc,
+					oauth2.WithDeviceCode(authorizationResponse.DeviceCode),
+				); err != nil {
+					if errors.As(err, &oauth2Error) {
+						switch oauth2Error.ErrorCode {
+						case oauth2.ErrAuthorizationPending, oauth2.ErrSlowDown:
+							continue
+						}
+					}
+
+					done <- err
+
+					return
+				} else {
+					return
+				}
+			}
+		}
+	}()
+
+	err = <-done
+
+	LogSection("Exchange device code for token")
+
+	if err != nil {
+		LogRequestAndResponseln(tokenRequest, err)
+		return err
+	}
+
+	LogAuthMethod(clientConfig)
+	LogRequestAndResponse(tokenRequest, tokenResponse)
+	LogTokenPayloadln(tokenResponse)
+
+	c.PrintResult(tokenResponse)
+
+	tokenStatus("Obtained token")
+
+	return nil
+}
@@ -7,6 +7,11 @@ import (
 	"strings"
 )
 
+const (
+	ErrAuthorizationPending = "authorization_pending"
+	ErrSlowDown             = "slow_down"
+)
+
 type Error struct {
 	StatusCode int    `json:"-"`
 	TraceID    string `json:"-"`
 
@@ -0,0 +1,64 @@
+package oauth2
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"strings"
+
+	"github.com/go-jose/go-jose/v3"
+	"github.com/pkg/errors"
+)
+
+type KeyUse string
+
+const (
+	SigningKey    KeyUse = "sig"
+	EncryptionKey KeyUse = "enc"
+)
+
+func ReadKey(use KeyUse, location string, hc *http.Client) (jose.JSONWebKey, error) {
+	var (
+		keys jose.JSONWebKeySet
+		bs   []byte
+		resp *http.Response
+		err  error
+	)
+
+	if strings.HasPrefix(location, "http") {
+		if resp, err = hc.Get(location); err != nil {
+			return jose.JSONWebKey{}, errors.Wrapf(err, "failed to call: %s", location)
+		}
+		defer resp.Body.Close()
+
+		if bs, err = io.ReadAll(resp.Body); err != nil {
+			return jose.JSONWebKey{}, errors.Wrapf(err, "failed to read response body from: %s", location)
+		}
+
+		if resp.StatusCode != 200 {
+			return jose.JSONWebKey{}, fmt.Errorf("received unexpected status code: %d, body: %s", resp.StatusCode, string(bs))
+		}
+	} else {
+		if bs, err = os.ReadFile(location); err != nil {
+			return jose.JSONWebKey{}, errors.Wrapf(err, "failed to read file: %s", location)
+		}
+	}
+
+	if err = json.Unmarshal(bs, &keys); err != nil {
+		return jose.JSONWebKey{}, errors.Wrapf(err, "failed to parse jwks keys: %s", location)
+	}
+
+	if len(keys.Keys) == 0 {
+		return jose.JSONWebKey{}, errors.New("keys are empty")
+	}
+
+	for _, key := range keys.Keys {
+		if key.Use == string(use) {
+			return key, nil
+		}
+	}
+
+	return jose.JSONWebKey{}, fmt.Errorf("could not find %s key", use)
+}
@@ -0,0 +1,15 @@
+package oauth2
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestReadKey(t *testing.T) {
+	key, err := ReadKey(SigningKey, "../../data/key.json", http.DefaultClient)
+	require.NoError(t, err)
+
+	require.NotNil(t, key)
+}
@@ -1,6 +1,14 @@
 package oauth2
 
-import "github.com/go-jose/go-jose/v3/jwt"
+import (
+	"encoding/json"
+	"net/http"
+	"time"
+
+	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v3/jwt"
+	"github.com/pkg/errors"
+)
 
 func UnsafeParseJWT(token string) (*jwt.JSONWebToken, map[string]interface{}, error) {
 	var (
@@ -19,3 +27,111 @@ func UnsafeParseJWT(token string) (*jwt.JSONWebToken, map[string]interface{}, er
 
 	return t, claims, nil
 }
+
+type SignerProvider func() (jose.Signer, interface{}, error)
+
+func JWKSigner(clientConfig ClientConfig, hc *http.Client) SignerProvider {
+	return func() (signer jose.Signer, _ interface{}, err error) {
+		var key jose.JSONWebKey
+
+		if clientConfig.SigningKey == "" {
+			return nil, nil, errors.New("no signing key path")
+		}
+
+		if key, err = ReadKey(SigningKey, clientConfig.SigningKey, hc); err != nil {
+			return nil, nil, errors.Wrapf(err, "failed to read signing key from %s", clientConfig.SigningKey)
+		}
+
+		if signer, err = jose.NewSigner(jose.SigningKey{
+			Algorithm: jose.SignatureAlgorithm(key.Algorithm),
+			Key:       key.Key,
+		}, &jose.SignerOptions{
+			ExtraHeaders: map[jose.HeaderKey]interface{}{"kid": key.KeyID},
+		}); err != nil {
+			return nil, nil, errors.Wrapf(err, "failed to create a signer")
+		}
+
+		return signer, key.Key, nil
+	}
+}
+
+func SecretSigner(secret []byte) SignerProvider {
+	return func() (jose.Signer, interface{}, error) {
+		signer, err := jose.NewSigner(jose.SigningKey{
+			Algorithm: jose.HS256,
+			Key:       secret,
+		}, nil)
+
+		return signer, secret, err
+	}
+}
+
+type ClaimsProvider func() (map[string]interface{}, error)
+
+func AssertionClaims(serverConfig ServerConfig, clientConfig ClientConfig) ClaimsProvider {
+	return func() (map[string]interface{}, error) {
+		var err error
+
+		claims := map[string]interface{}{
+			"iss": serverConfig.TokenEndpoint,
+			"aud": serverConfig.TokenEndpoint,
+			"iat": time.Now().Unix(),
+			"exp": time.Now().Add(time.Minute * 10).Unix(),
+			"jti": RandomString(20),
+		}
+
+		if clientConfig.Assertion == "" {
+			clientConfig.Assertion = "{}"
+		}
+
+		if err = json.Unmarshal([]byte(clientConfig.Assertion), &claims); err != nil {
+			return nil, err
+		}
+
+		return claims, nil
+	}
+}
+
+func ClientAssertionClaims(serverConfig ServerConfig, clientConfig ClientConfig) ClaimsProvider {
+	return func() (map[string]interface{}, error) {
+		return map[string]interface{}{
+			"iss": clientConfig.ClientID,
+			"sub": clientConfig.ClientID,
+			"aud": serverConfig.TokenEndpoint,
+			"iat": time.Now().Unix(),
+			"exp": time.Now().Add(time.Minute * 10).Unix(),
+			"jti": RandomString(20),
+		}, nil
+	}
+}
+
+func SignJWT(claimsProvider ClaimsProvider, signerProvider SignerProvider) (jwt string, key interface{}, err error) {
+	var (
+		signer jose.Signer
+		claims map[string]interface{}
+		jws    *jose.JSONWebSignature
+		bs     []byte
+	)
+
+	if signer, key, err = signerProvider(); err != nil {
+		return "", nil, errors.Wrapf(err, "failed to create signer")
+	}
+
+	if claims, err = claimsProvider(); err != nil {
+		return "", nil, errors.Wrapf(err, "failed to build claims")
+	}
+
+	if bs, err = json.Marshal(claims); err != nil {
+		return "", nil, errors.Wrapf(err, "failed to serialize claims")
+	}
+
+	if jws, err = signer.Sign(bs); err != nil {
+		return "", nil, errors.Wrapf(err, "failed to sign jwt")
+	}
+
+	if jwt, err = jws.CompactSerialize(); err != nil {
+		return "", nil, err
+	}
+
+	return jwt, key, nil
+}
Original file line number	Diff line number	Diff line change
`@@ -179,6 +179,8 @@ func (c OAuth2Cmd) Authorize(clientConfig oauth2.ClientConfig, hc http.Client)`
`179`	`179`	`return c.JWTBearerGrantFlow(clientConfig, serverConfig, hc)`
`180`	`180`	`case oauth2.TokenExchangeGrantType:`
`181`	`181`	`return c.TokenExchangeGrantFlow(clientConfig, serverConfig, hc)`
	`182`	`+ case oauth2.DeviceGrantType:`
	`183`	`+ return c.DeviceGrantFlow(clientConfig, serverConfig, hc)`
`182`	`184`	`}`
`183`	`185`
`184`	`186`	`return fmt.Errorf("Unknown grant type: %s", clientConfig.GrantType)`