feat: implement RFC 8628 (#3912)

This patch introduces the OAuth 2.0 Device Authorization Grant to Ory
Hydra. The OAuth 2.0 device authorization grant is designed for
Internet-connected devices that either lack a browser to perform a
user-agent-based authorization or are input constrained to the extent
that requiring the user to input text in order to authenticate during
the authorization flow is impractical. It enables OAuth clients on such
devices (like smart TVs, media consoles, digital picture frames, and
printers) to obtain user authorization to access protected resources by
using a user agent on a separate device.

The OAuth 2.0 Device Authorization Grant may also become relevant for AI
Agent authentication flows and is generally an amazing step and
innovation for this project.

A very special thanks goes to @nsklikas from
[Canonical](https://canonical.com), @supercairos from
[shadow.tech](https://shadow.tech) and @BuzzBumbleBee.

For more details, please check out the documentation
(ory/docs#2026)

To implement this feature, you will need to implement two additional
screens in your login and consent application. A reference
implementation can be found
[here](https://github.com/ory/hydra-login-consent-node/blob/99ca6ad544f64110706c289dda74c7c622ec3110/src/routes/device.ts).

Closes #3851
Closes #3252
Closes #3230
Closes #2416

Author: nsklikas

.schema/config.schema.json

@@ -464,6 +464,11 @@
               "description": "Sets the session cookie name. Use with care!",
               "type": "object",
               "properties": {
+                "device_csrf": {
+                  "type": "string",
+                  "title": "CSRF Cookie Name",
+                  "default": "ory_hydra_device_csrf"
+                },
                 "login_csrf": {
                   "type": "string",
                   "title": "CSRF Cookie Name",
@@ -614,6 +619,14 @@
                 "https://my-service.com/oauth2/auth"
               ]
             },
+            "device_authorization_url": {
+              "type": "string",
+              "description": "Overwrites the OAuth2 Device Auth URL",
+              "format": "uri-reference",
+              "examples": [
+                "https://my-service.com/oauth2/device/auth"
+              ]
+            },
             "client_registration_url": {
               "description": "Sets the OpenID Connect Dynamic Client Registration Endpoint",
               "type": "string",
@@ -803,6 +816,30 @@
             "/ui/logout"
           ]
         },
+        "device": {
+          "type": "object",
+          "description": "Configure URLs for the OAuth 2.0 Device Code Flow.",
+          "properties": {
+            "verification": {
+              "type": "string",
+              "description": "Sets the device user code verification endpoint. Defaults to an internal fallback URL showing an error.",
+              "format": "uri-reference",
+              "examples": [
+                "https://my-logout.app/device_verification",
+                "/ui/device_verification"
+              ]
+            },
+            "success": {
+              "type": "string",
+              "description": "Sets the post device authentication endpoint. Defaults to an internal fallback URL showing an error.",
+              "format": "uri-reference",
+              "examples": [
+                "https://my-logout.app/device_done",
+                "/ui/device_done"
+              ]
+            }
+          }
+        },
         "error": {
           "type": "string",
           "description": "Sets the error endpoint. The error ui will be shown when an OAuth2 error occurs that which can not be sent back to the client. Defaults to an internal fallback URL showing an error.",
@@ -947,6 +984,15 @@
               "$ref": "#/definitions/duration"
             }
           ]
+        },
+        "device_user_code": {
+          "description": "Configures how long device & user codes are valid.",
+          "default": "10m",
+          "allOf": [
+            {
+              "$ref": "#/definitions/duration"
+            }
+          ]
         }
       }
     },
@@ -1124,6 +1170,28 @@
             }
           ]
         },
+        "device_authorization": {
+          "type": "object",
+          "additionalProperties": false,
+          "properties": {
+            "token_polling_interval": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/duration"
+                }
+              ],
+              "default": "5s",
+              "description": "Configures how often a non-interactive device should poll the device token endpoint, this is a purely informational configuration and does not enforce rate-limiting.",
+              "examples": ["5s", "15s", "1m"]
+            },
+            "user_code_entropy": {
+              "type": "string",
+              "description": "Sets the entropy for the user codes.",
+              "default": "medium",
+              "enum": ["high", "medium", "low"]
+            }
+          }
+        },
         "token_hook": {
           "description": "Sets the token hook endpoint for all grant types. If set it will be called while providing token to customize claims.",
           "examples": ["https://my-example.app/token-hook"],
@@ -1137,8 +1205,8 @@
             }
           ]
         }
-    }
-  },
+      }
+    },
     "secrets": {
       "type": "object",
       "additionalProperties": false,
@@ -1183,7 +1251,7 @@
       "examples": ["cpu"]
     },
     "tracing": {
-      "$ref": "https://raw.githubusercontent.com/ory/x/v0.0.675/otelx/config.schema.json"
+      "$ref": "ory://tracing-config"
     },
     "sqa": {
       "type": "object",

client/.snapshots/TestHandler-common-case=create_clients-case=0-description=basic_dynamic_client_registration.json

@@ -31,5 +31,8 @@
   "jwt_bearer_grant_access_token_lifespan": null,
   "refresh_token_grant_id_token_lifespan": null,
   "refresh_token_grant_access_token_lifespan": null,
-  "refresh_token_grant_refresh_token_lifespan": null
+  "refresh_token_grant_refresh_token_lifespan": null,
+  "device_authorization_grant_id_token_lifespan": null,
+  "device_authorization_grant_access_token_lifespan": null,
+  "device_authorization_grant_refresh_token_lifespan": null
 }

client/.snapshots/TestHandler-common-case=create_clients-case=1-description=basic_admin_registration.json

@@ -34,5 +34,8 @@
   "jwt_bearer_grant_access_token_lifespan": null,
   "refresh_token_grant_id_token_lifespan": null,
   "refresh_token_grant_access_token_lifespan": null,
-  "refresh_token_grant_refresh_token_lifespan": null
+  "refresh_token_grant_refresh_token_lifespan": null,
+  "device_authorization_grant_id_token_lifespan": null,
+  "device_authorization_grant_access_token_lifespan": null,
+  "device_authorization_grant_refresh_token_lifespan": null
 }

client/.snapshots/TestHandler-common-case=create_clients-case=10-description=empty_ID_succeeds.json

@@ -31,5 +31,8 @@
   "jwt_bearer_grant_access_token_lifespan": null,
   "refresh_token_grant_id_token_lifespan": null,
   "refresh_token_grant_access_token_lifespan": null,
-  "refresh_token_grant_refresh_token_lifespan": null
+  "refresh_token_grant_refresh_token_lifespan": null,
+  "device_authorization_grant_id_token_lifespan": null,
+  "device_authorization_grant_access_token_lifespan": null,
+  "device_authorization_grant_refresh_token_lifespan": null
 }

client/.snapshots/TestHandler-common-case=create_clients-case=10-description=setting_skip_logout_consent_succeeds_for_admin_registration.json

@@ -32,5 +32,8 @@
   "jwt_bearer_grant_access_token_lifespan": null,
   "refresh_token_grant_id_token_lifespan": null,
   "refresh_token_grant_access_token_lifespan": null,
-  "refresh_token_grant_refresh_token_lifespan": null
+  "refresh_token_grant_refresh_token_lifespan": null,
+  "device_authorization_grant_id_token_lifespan": null,
+  "device_authorization_grant_access_token_lifespan": null,
+  "device_authorization_grant_refresh_token_lifespan": null
 }

client/.snapshots/TestHandler-common-case=create_clients-case=12-description=empty_ID_succeeds.json

@@ -32,5 +32,8 @@
   "jwt_bearer_grant_access_token_lifespan": null,
   "refresh_token_grant_id_token_lifespan": null,
   "refresh_token_grant_access_token_lifespan": null,
-  "refresh_token_grant_refresh_token_lifespan": null
+  "refresh_token_grant_refresh_token_lifespan": null,
+  "device_authorization_grant_id_token_lifespan": null,
+  "device_authorization_grant_access_token_lifespan": null,
+  "device_authorization_grant_refresh_token_lifespan": null
 }

client/.snapshots/TestHandler-common-case=create_clients-case=2-description=empty_ID_succeeds.json

@@ -30,5 +30,8 @@
   "jwt_bearer_grant_access_token_lifespan": null,
   "refresh_token_grant_id_token_lifespan": null,
   "refresh_token_grant_access_token_lifespan": null,
-  "refresh_token_grant_refresh_token_lifespan": null
+  "refresh_token_grant_refresh_token_lifespan": null,
+  "device_authorization_grant_id_token_lifespan": null,
+  "device_authorization_grant_access_token_lifespan": null,
+  "device_authorization_grant_refresh_token_lifespan": null
 }

client/.snapshots/TestHandler-common-case=create_clients-case=4-description=non-uuid_works.json

@@ -34,5 +34,8 @@
   "jwt_bearer_grant_access_token_lifespan": null,
   "refresh_token_grant_id_token_lifespan": null,
   "refresh_token_grant_access_token_lifespan": null,
-  "refresh_token_grant_refresh_token_lifespan": null
+  "refresh_token_grant_refresh_token_lifespan": null,
+  "device_authorization_grant_id_token_lifespan": null,
+  "device_authorization_grant_access_token_lifespan": null,
+  "device_authorization_grant_refresh_token_lifespan": null
 }

client/.snapshots/TestHandler-common-case=create_clients-case=5-description=setting_client_id_as_uuid_works.json

@@ -34,5 +34,8 @@
   "jwt_bearer_grant_access_token_lifespan": null,
   "refresh_token_grant_id_token_lifespan": null,
   "refresh_token_grant_access_token_lifespan": null,
-  "refresh_token_grant_refresh_token_lifespan": null
+  "refresh_token_grant_refresh_token_lifespan": null,
+  "device_authorization_grant_id_token_lifespan": null,
+  "device_authorization_grant_access_token_lifespan": null,
+  "device_authorization_grant_refresh_token_lifespan": null
 }

client/.snapshots/TestHandler-common-case=create_clients-case=7-description=setting_skip_consent_suceeds_for_admin_registration.json

@@ -31,5 +31,8 @@
   "jwt_bearer_grant_access_token_lifespan": null,
   "refresh_token_grant_id_token_lifespan": null,
   "refresh_token_grant_access_token_lifespan": null,
-  "refresh_token_grant_refresh_token_lifespan": null
+  "refresh_token_grant_refresh_token_lifespan": null,
+  "device_authorization_grant_id_token_lifespan": null,
+  "device_authorization_grant_access_token_lifespan": null,
+  "device_authorization_grant_refresh_token_lifespan": null
 }