Add the device user code form

duzumaki · dopry · commit b505d2d38046 · 2025-06-27T22:32:45.000-04:00
diff --git a/oauth2_provider/templates/oauth2_provider/device/user_code.html b/oauth2_provider/templates/oauth2_provider/device/user_code.html
@@ -0,0 +1,16 @@
+{% extends "oauth2_provider/base.html" %}
+{% block content %}
+<html>
+<head>
+    <title>Device code</title>
+</head>
+<body>
+    <h1>Enter code displayed on device</h1>
+    <form method="post">
+        {% csrf_token %}
+        {{ form.as_p }}
+        <button type="submit">Verify</button>
+    </form>
+</body>
+</html>
+{% endblock content %}
diff --git a/oauth2_provider/urls.py b/oauth2_provider/urls.py
@@ -11,7 +11,8 @@
     path("token/", views.TokenView.as_view(), name="token"),
     path("revoke_token/", views.RevokeTokenView.as_view(), name="revoke-token"),
     path("introspect/", views.IntrospectTokenView.as_view(), name="introspect"),
-    path("device_authorization/", views.DeviceAuthorizationView.as_view(), name="device-authorization")
+    path("device-authorization/", views.DeviceAuthorizationView.as_view(), name="device-authorization"),
+    path("device/", views.device_user_code_view, name="device"),
 ]
 
 
diff --git a/oauth2_provider/views/device.py b/oauth2_provider/views/device.py
@@ -1,13 +1,20 @@
 import json
 
-from django import http
+from django import forms, http
+from django.contrib.auth.decorators import login_required
+from django.shortcuts import render
+from django.urls import reverse
 from django.utils.decorators import method_decorator
 from django.views.decorators.csrf import csrf_exempt
 from django.views.generic import View
 from oauthlib.oauth2 import DeviceApplicationServer
+from oauthlib.oauth2.rfc8628.errors import (
+    AccessDenied,
+    ExpiredTokenError,
+)
 
 from oauth2_provider.compat import login_not_required
-from oauth2_provider.models import DeviceCodeResponse, DeviceRequest, create_device
+from oauth2_provider.models import Device, DeviceCodeResponse, DeviceRequest, create_device, get_device_model
 from oauth2_provider.views.mixins import OAuthLibMixin
 
 
@@ -28,3 +35,44 @@ def post(self, request, *args, **kwargs):
         create_device(device_request, device_response)
 
         return http.JsonResponse(data=response, status=status, headers=headers)
+
+
+class DeviceForm(forms.Form):
+    user_code = forms.CharField(required=True)
+
+
+# it's common to see in real world products
+# device flow's only asking the user to sign in after they input the
+# user code but since the user has to be signed in regardless to approve the
+# device login we're making the decision here to require being logged in
+# up front
+@login_required
+def device_user_code_view(request):
+    form = DeviceForm(request.POST)
+
+    if request.method != "POST":
+        return render(request, "oauth2_provider/device/user_code.html", {"form": form})
+
+    if not form.is_valid():
+        return render(request, "oauth2_provider/device/user_code.html", {"form": form})
+
+    user_code: str = form.cleaned_data["user_code"]
+    device: Device = get_device_model().objects.get(user_code=user_code)
+
+    if device is None:
+        form.add_error("user_code", "Incorrect user code")
+        return render(request, "oauth2_provider/device/user_code.html", {"form": form})
+
+    if device.is_expired():
+        device.status = device.EXPIRED
+        device.save(update_fields=["status"])
+        raise ExpiredTokenError
+
+    # User of device has already made their decision for this device
+    if device.status in (device.DENIED, device.AUTHORIZED):
+        raise AccessDenied
+
+    # 308 to indicate we want to keep the redirect being a POST request
+    return http.HttpResponsePermanentRedirect(
+        reverse("oauth2_provider:device-confirm", kwargs={"device_code": device.device_code}), status=308
+    )
diff --git a/tests/app/idp/templates/device/user_code.html b/tests/app/idp/templates/device/user_code.html
@@ -0,0 +1,16 @@
+{% extends "oauth2_provider/base.html" %}
+{% block content %}
+<html>
+<head>
+    <title>Device code</title>
+</head>
+<body>
+    <h1>Enter code displayed on device</h1>
+    <form method="post">
+        {% csrf_token %}
+        {{ form.as_p }}
+        <button type="submit">Verify</button>
+    </form>
+</body>
+</html>
+{% endblock content %}

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,8 @@`
`11`	`11`	`path("token/", views.TokenView.as_view(), name="token"),`
`12`	`12`	`path("revoke_token/", views.RevokeTokenView.as_view(), name="revoke-token"),`
`13`	`13`	`path("introspect/", views.IntrospectTokenView.as_view(), name="introspect"),`
`14`		`- path("device_authorization/", views.DeviceAuthorizationView.as_view(), name="device-authorization")`
	`14`	`+ path("device-authorization/", views.DeviceAuthorizationView.as_view(), name="device-authorization"),`
	`15`	`+ path("device/", views.device_user_code_view, name="device"),`
`15`	`16`	`]`
`16`	`17`
`17`	`18`