fix(oauth): Support public clients for device flow per RFC 8628 §5.6

The OAuth 2.0 Device Authorization Grant (RFC 8628) is designed for
headless clients like CLIs, native apps, and IoT devices that cannot
securely store credentials.

Per RFC 8628 §5.6 (Non-Confidential Clients):
> Device clients are generally incapable of maintaining the
> confidentiality of their credentials, as users in possession of
> the device can reverse-engineer it and extract the credentials.
> Therefore, unless additional measures are taken, they should be
> treated as public clients.

And per RFC 8628 §3.4 (Device Access Token Request):
> client_id: REQUIRED if the client is not authenticating with the
> authorization server as described in Section 3.2.1. of [RFC6749].

The previous implementation required client_secret for ALL grant
types, including device_code. This broke the fundamental design of
the device flow, which is meant for public clients that authenticate
with only client_id.

Changes:
- Move grant_type validation before credential check
- For device_code grant: only require client_id (public client mode)
- If client_secret is provided: still validate it (confidential client)
- Other grant types: unchanged (still require client_id + client_secret)

This allows CLIs to authenticate without embedding secrets while still
supporting confidential clients that choose to provide credentials.

Author: betegon

src/sentry/web/frontend/oauth_token.py

@@ -17,7 +17,11 @@
 from sentry import options
 from sentry.locks import locks
 from sentry.models.apiapplication import ApiApplication, ApiApplicationStatus
-from sentry.models.apidevicecode import DEFAULT_INTERVAL, ApiDeviceCode, DeviceCodeStatus
+from sentry.models.apidevicecode import (
+    DEFAULT_INTERVAL,
+    ApiDeviceCode,
+    DeviceCodeStatus,
+)
 from sentry.models.apigrant import ApiGrant, ExpiredGrantError, InvalidGrantError
 from sentry.models.apitoken import ApiToken
 from sentry.ratelimits import backend as ratelimiter
@@ -104,6 +108,8 @@ def post(self, request: Request) -> HttpResponse:
         Client authentication
         - Either Authorization header (Basic) or form fields `client_id`/`client_secret`
           (RFC 6749 §2.3.1). Only one method may be used per request.
+        - For device_code grant: supports public clients per RFC 8628 §5.6, which only
+          require `client_id`. If `client_secret` is provided, it will be validated.
 
         Request format
         - Requests are `application/x-www-form-urlencoded` as defined in RFC 6749 §3.2.
@@ -120,8 +126,22 @@ def post(self, request: Request) -> HttpResponse:
         """
         grant_type = request.POST.get("grant_type")
 
+        # Validate grant_type first (needed to determine auth requirements)
+        if not grant_type:
+            return self.error(
+                request=request, name="invalid_request", reason="missing grant_type"
+            )
+        if grant_type not in [
+            GrantTypes.AUTHORIZATION,
+            GrantTypes.REFRESH,
+            GrantTypes.DEVICE_CODE,
+        ]:
+            return self.error(request=request, name="unsupported_grant_type")
+
         # Determine client credentials from header or body (mutually exclusive).
-        (client_id, client_secret), cred_error = self._extract_basic_auth_credentials(request)
+        (client_id, client_secret), cred_error = self._extract_basic_auth_credentials(
+            request
+        )
         if cred_error is not None:
             return cred_error
 
@@ -131,42 +151,78 @@ def post(self, request: Request) -> HttpResponse:
             tags={
                 "client_id_exists": bool(client_id),
                 "client_secret_exists": bool(client_secret),
+                "grant_type": grant_type,
             },
         )
 
-        if not client_id or not client_secret:
-            return self.error(
-                request=request,
-                name="invalid_client",
-                reason="missing client credentials",
-                status=401,
-            )
+        # Device flow supports public clients per RFC 8628 §5.6.
+        # Public clients only provide client_id to identify themselves.
+        # If client_secret is provided, we still validate it for confidential clients.
+        if grant_type == GrantTypes.DEVICE_CODE:
+            if not client_id:
+                return self.error(
+                    request=request,
+                    name="invalid_client",
+                    reason="missing client_id",
+                    status=401,
+                )
 
-        if not grant_type:
-            return self.error(request=request, name="invalid_request", reason="missing grant_type")
-        if grant_type not in [GrantTypes.AUTHORIZATION, GrantTypes.REFRESH, GrantTypes.DEVICE_CODE]:
-            return self.error(request=request, name="unsupported_grant_type")
+            # Build query - validate secret only if provided (confidential client)
+            query = {"client_id": client_id}
+            if client_secret:
+                query["client_secret"] = client_secret
 
-        try:
-            # Note: We don't filter by status here to distinguish between invalid
-            # credentials (unknown client) and inactive applications. This allows
-            # proper grant cleanup per RFC 6749 §10.5 and clearer metrics.
-            application = ApiApplication.objects.get(
-                client_id=client_id,
-                client_secret=client_secret,
-            )
-        except ApiApplication.DoesNotExist:
-            metrics.incr(
-                "oauth_token.post.invalid",
-                sample_rate=1.0,
-            )
-            logger.warning("Invalid client_id / secret pair", extra={"client_id": client_id})
-            return self.error(
-                request=request,
-                name="invalid_client",
-                reason="invalid client_id or client_secret",
-                status=401,
-            )
+            try:
+                application = ApiApplication.objects.get(**query)
+            except ApiApplication.DoesNotExist:
+                metrics.incr("oauth_token.post.invalid", sample_rate=1.0)
+                if client_secret:
+                    logger.warning(
+                        "Invalid client_id / secret pair",
+                        extra={"client_id": client_id},
+                    )
+                    reason = "invalid client_id or client_secret"
+                else:
+                    logger.warning("Invalid client_id", extra={"client_id": client_id})
+                    reason = "invalid client_id"
+                return self.error(
+                    request=request,
+                    name="invalid_client",
+                    reason=reason,
+                    status=401,
+                )
+        else:
+            # Other grant types require confidential client authentication
+            if not client_id or not client_secret:
+                return self.error(
+                    request=request,
+                    name="invalid_client",
+                    reason="missing client credentials",
+                    status=401,
+                )
+
+            try:
+                # Note: We don't filter by status here to distinguish between invalid
+                # credentials (unknown client) and inactive applications. This allows
+                # proper grant cleanup per RFC 6749 §10.5 and clearer metrics.
+                application = ApiApplication.objects.get(
+                    client_id=client_id,
+                    client_secret=client_secret,
+                )
+            except ApiApplication.DoesNotExist:
+                metrics.incr(
+                    "oauth_token.post.invalid",
+                    sample_rate=1.0,
+                )
+                logger.warning(
+                    "Invalid client_id / secret pair", extra={"client_id": client_id}
+                )
+                return self.error(
+                    request=request,
+                    name="invalid_client",
+                    reason="invalid client_id or client_secret",
+                    status=401,
+                )
 
         # Check application status separately from credential validation.
         # This preserves metric clarity and provides consistent error handling.
@@ -186,7 +242,9 @@ def post(self, request: Request) -> HttpResponse:
                     # Use unguarded_write because deleting the grant triggers SET_NULL on
                     # SentryAppInstallation.api_grant, which is a cross-model write
                     with unguarded_write(using=router.db_for_write(ApiGrant)):
-                        ApiGrant.objects.filter(application=application, code=code).delete()
+                        ApiGrant.objects.filter(
+                            application=application, code=code
+                        ).delete()
             # For device_code, invalidate the device code
             elif grant_type == GrantTypes.DEVICE_CODE:
                 device_code_value = request.POST.get("device_code")
@@ -223,11 +281,17 @@ def post(self, request: Request) -> HttpResponse:
             )
 
         if grant_type == GrantTypes.AUTHORIZATION:
-            token_data = self.get_access_tokens(request=request, application=application)
+            token_data = self.get_access_tokens(
+                request=request, application=application
+            )
         elif grant_type == GrantTypes.DEVICE_CODE:
-            return self.handle_device_code_grant(request=request, application=application)
+            return self.handle_device_code_grant(
+                request=request, application=application
+            )
         else:
-            token_data = self.get_refresh_token(request=request, application=application)
+            token_data = self.get_refresh_token(
+                request=request, application=application
+            )
         if "error" in token_data:
             return self.error(
                 request=request,
@@ -292,22 +356,28 @@ def _extract_basic_auth_credentials(
                 # avoid excessive memory use on decode.
                 b64 = param.strip()
                 if len(b64) > MAX_BASIC_AUTH_B64_LEN:
-                    logger.warning("Invalid Basic auth header: too long", extra={"client_id": None})
+                    logger.warning(
+                        "Invalid Basic auth header: too long", extra={"client_id": None}
+                    )
                     return (None, None), self.error(
                         request=request,
                         name="invalid_client",
                         reason="invalid basic auth (too long)",
                         status=401,
                     )
                 try:
-                    decoded = base64.b64decode(b64.encode("ascii"), validate=True).decode("utf-8")
+                    decoded = base64.b64decode(
+                        b64.encode("ascii"), validate=True
+                    ).decode("utf-8")
                     # format: client_id:client_secret (client_secret may be empty)
                     if ":" not in decoded:
                         raise ValueError("missing colon in basic credentials")
                     client_id, client_secret = decoded.split(":", 1)
                     return (client_id, client_secret), None
                 except Exception:
-                    logger.warning("Invalid Basic auth header", extra={"client_id": None})
+                    logger.warning(
+                        "Invalid Basic auth header", extra={"client_id": None}
+                    )
                     return (None, None), self.error(
                         request=request,
                         name="invalid_client",
@@ -340,9 +410,15 @@ def get_access_tokens(self, request: Request, application: ApiApplication) -> di
                 code_verifier=request.POST.get("code_verifier"),
             )
         except InvalidGrantError as e:
-            return {"error": "invalid_grant", "reason": str(e) if str(e) else "invalid grant"}
+            return {
+                "error": "invalid_grant",
+                "reason": str(e) if str(e) else "invalid grant",
+            }
         except ExpiredGrantError as e:
-            return {"error": "invalid_grant", "reason": str(e) if str(e) else "grant expired"}
+            return {
+                "error": "invalid_grant",
+                "reason": str(e) if str(e) else "grant expired",
+            }
 
         token_data = {"token": api_token}