Add device authorization grant (device code flow - rfc 8628) #1539
Conversation
duzumaki
force-pushed
the
add-device-flow
branch
5 times, most recently
from
d94410c to
acc1753
Compare
There was a problem hiding this comment.
This looks excellent, Only one thing grabbed my attention in my cursory code review, the type of the request parameter. Take a moment to double check that type. I've been bitten by OAuthLib's recasting of Request on a number of occasions. I hope to get time to more thoroughly review this by the end of the week
There was a problem hiding this comment.
This looks awesome! I left some comments even though I'm not a maintainer, I'm just an excited downstream user :). If you're too busy to address any of my feedback let me know, I'd be happy to spend some time on it.
I got this up and running locally and was able to complete the authorization flow. Other than the comments I left inline, I have a few thoughts.
- Were you planning on adding a default view and template to complete the flow, similar to the way other grant types operate? Obviously the device flow user interaction can be highly customized, but I think a simple view could provide a decent out of the box experience. This was the code I wrote on my application to test this end-to-end:
from oauthlib.oauth2.rfc8628.errors import (
AccessDenied,
ExpiredTokenError,
)
from oauth2_provider.models import get_device_model
from django import forms
class DeviceForm(forms.Form):
user_code = forms.CharField(required=True)
@login_required
def oauth_device_authenticate(request):
form = DeviceForm(request.POST or None)
if request.method == "POST" and form.is_valid():
user_code = form.cleaned_data["user_code"]
device = get_device_model().objects.filter(user_code=user_code).first()
if device is None:
form.add_error("user_code", "Incorrect user code")
else:
if timezone.now() > device.expires:
device.status = device.EXPIRED
device.save(update_fields=["status"])
raise ExpiredTokenError
if device.status in (device.DENIED, device.AUTHORIZED):
raise AccessDenied
if device.user_code == user_code:
device.status = device.AUTHORIZED
device.save(update_fields=["status"])
return HttpResponseRedirect(reverse("oauth-device-authenticate-success"))
return render(request, "device_authenticate.html", {"form": form})
@login_required
def oauth_device_authenticate_success(request):
return render(request, "device_authenticate_success.html")-
Likewise, are downstreams expected to implement their own
/tokenendpoint? -
Should DOT be a little bit more opinionated about how to generate things like
user_code? There seems to be a good bit in the RFC (6.1) about best practices that we could encode for downstreams: e.g. using a shorter code with enough entropy that has readable characters and is compared case-insensitively.
Thanks again for all this work :)
This code I put in tutotorial_06.rst was a simplified version of how I implemented in my own authserver. However this is up to the maintainers to decide but I'd rather get this merged and we add it later if we deem it important as I also worked on making sure oauthlib can support this grant so I've been working on this for quite some time now to put everything in place(this pr & this). Can always incrementally update django oauth toolkit but I would like to get the core tooling in first
No , they can if they want but oauth toolkit provides that endpoint. They just need to have a working
That's why I updated oauthlib to support the ability to pass in custom user code generator callables if you set the setting I made for it in oauth toolkit. I'm being core RFC focused here first and if anything opinionated needs to be added I think we can add it later, This pr is already chunky as is the way I see it. Nothing stopping us from releasing inceremental updates here instead of one big bang :)
Thank you! |
|
@danlamanna thanks for putting it through it's paces and for the code review. We always appreciate extra hands in the community kicking the tires on pull requests. @duzumaki I haven't had a chance to get into a thorough review yet. It's high on my OSS priority list. It would be nice to have a working implementation in the example idp/rp in tests/app. If you need any help on the rp side there, I'm happy to lend a hand. That will reduce our testing overhead as maintainers. It's a lot to review an OAuth Flow without also having to implement part of it as well, especially as we haven't been as awash in the specification as you seem to have been for a bit. I am partial to the idea of having necessary default views in DOT, I really prefer as much of a batteries included experience for our users. If we give people a half implementation in an initial release it will be a lot of work for a lot of people, then when we add in our own view implementations it'll be an upgrade headache for all of those users. If we can deliver a view that adheres to best practice with reasonable defaults which users can override I would much prefer that. |
|
makes sense. i'll port some implementation i had in my own custom auth server over to this pr |
duzumaki
force-pushed
the
add-device-flow
branch
7 times, most recently
from
cd79c50 to
04f6ccc
Compare
|
@duzumaki It looks like you may be battling with pre-commit which is fixing your code formatting after push. Do you have pre-commit installed locally? See https://django-oauth-toolkit.readthedocs.io/en/latest/contributing.html#code-style |
duzumaki
force-pushed
the
add-device-flow
branch
from
82ddc34 to
b47408e
Compare
|
@n2ygk The pushes aren't because of the pre-commit. I use rebase so I'm fixing the history so it's easier to review |
duzumaki
force-pushed
the
add-device-flow
branch
4 times, most recently
from
d73dcc0 to
a9eb10e
Compare
|
@n2ygk @dopry @danlamanna just added new commits that add everything needed to test the device flow end to end + a test that tests the whole flow touching all of the relevant views. again, reviewing the commits, commit by commit, will help versus looking at all files changed at once(during your first pass review anyway) @danlamanna I haven't addressed all of your comments yet. I just want to ensure we all agree on the complete set of views I've just added first then I'll go back to handle the smaller stuff you commented on @dopry all checks look good locally too |
|
I'll take a look later this evening |
This commit will not be merged(I think). Currently oauthlib is due a release so I'm pointing this to master
A public device code grant doesn't have a client_secret to check
It needs handled differently depending on the device grant type or not it also needs to be rate limited to adhrere to the polling section in the spec so a device can't spam the token endpoint
This creates a user friendly but still high entropy user code to be used in the device flow
Tests the device flow end to end
Older version doesn't work with newer version of python
In this commit I've addressed a few issues raised in comments about the flow. * Always return informative errors to user-facing views. If the device is not in the expected state, the errors are returned in the form, instead of raising exceptions. * Always return JSON response to device-facing view (aka TokenView). If the device is not in the expected state, the errors are returned according to the RFC. * Never involve device_code in frontend. The redirect to device-confirm view now takes client_id and user_code arguments instead of device_code * Increased test coverage. Added tests for expected error cases handled in the code
Perferred to use the Grant suffix in order to keep the naming consistent with other grant models.
This commit updates the views related to device auth flow from functions to class-based views. This makes it easy to import them in other projects and only overwrite small bits of functionality (specifically looking at templates and context_data). A 3rd view is added for the final step where the user is presented with the status of the device after they approve or deny. The views now also have a more "standard" django form behaviour, changes being relfected in the tests.
Welcome to Codecov 🎉Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests. ℹ️ You can also turn on project coverage checks and project coverage reporting on Pull Request comment Thanks for integrating Codecov - We've got you covered ☂️ |
Sure thing, I'll look into it Wednesday ✨ |
|
To save you some legwork @cristiprg (mostly written by Opus, but I've manually checked the specs and it is indeed correct): According to RFC 8628, if the client doesn't provide a client_id when it's required, the server should respond with an error. From Section 3.1, the client_id is "REQUIRED if the client is not authenticating with the authorization server as described in Section 3.2 states: "In the event of an error (such as an invalidly configured client), the authorization server responds in the Per RFC 6749 Section 5.2, this would be a 400 Bad Request with an "invalid_request" error: |
Note to reviewers: I've made this a "commit by commit" pr which means it's easier to review the pr if you go commit by commit rather than look at all files changed at once
Fixes #962
follow up from
oauthlib/oauthlib#881
&
oauthlib/oauthlib#889
Description of the Change
Checklist
CHANGELOG.mdupdated (only for user relevant changes)AUTHORS