feat: full user-code configuration

GitOrigin-RevId: 640f495fa2caf90025c60218554f4f968b2108ae

Author: zepatrik

driver/config/provider.go

@@ -7,11 +7,9 @@ import (
 	"context"
 	"crypto/sha512"
 	"fmt"
-	"maps"
 	"math"
 	"net/http"
 	"net/url"
-	"slices"
 	"strings"
 	"testing"
 	"time"
@@ -102,7 +100,9 @@ const (
 	KeySubjectIdentifierAlgorithmSalt            = "oidc.subject_identifiers.pairwise.salt"
 	KeyPublicAllowDynamicRegistration            = "oidc.dynamic_client_registration.enabled"
 	KeyDeviceAuthTokenPollingInterval            = "oauth2.device_authorization.token_polling_interval" // #nosec G101
-	KeyDeviceAuthUserCodeEntropy                 = "oauth2.device_authorization.user_code_entropy"
+	KeyDeviceAuthUserCodeEntropyPreset           = "oauth2.device_authorization.user_code.entropy_preset"
+	KeyDeviceAuthUserCodeLength                  = "oauth2.device_authorization.user_code.length"
+	KeyDeviceAuthUserCodeCharacterSet            = "oauth2.device_authorization.user_code.character_set"
 	KeyPKCEEnforced                              = "oauth2.pkce.enforced"
 	KeyPKCEEnforcedForPublicClients              = "oauth2.pkce.enforced_for_public_clients"
 	KeyLogLevel                                  = "log.level"
@@ -124,15 +124,6 @@ const (
 
 const DSNMemory = "memory"
 
-var userCodeEtropy = map[string]struct {
-	Length  int
-	Symbols []rune
-}{
-	"high":   {Length: 8, Symbols: randx.AlphaNumNoAmbiguous},
-	"medium": {Length: 8, Symbols: randx.AlphaUpper},
-	"low":    {Length: 9, Symbols: randx.Numeric},
-}
-
 var (
 	_ hasherx.PBKDF2Configurator = (*DefaultProvider)(nil)
 	_ hasherx.BCryptConfigurator = (*DefaultProvider)(nil)
@@ -437,31 +428,38 @@ func (p *DefaultProvider) GetDeviceAuthTokenPollingInterval(ctx context.Context)
 	return p.p.DurationF(KeyDeviceAuthTokenPollingInterval, time.Second*5)
 }
 
+func (p *DefaultProvider) userCodeEntropyPreset(t string) (int, []rune) {
+	switch t {
+	default:
+		p.l.Errorf(`invalid user code entropy preset %q, allowed values are "high", "medium", or "low"`, t)
+		fallthrough
+	case "high":
+		return 8, randx.AlphaNumNoAmbiguous
+	case "medium":
+		return 8, randx.AlphaUpper
+	case "low":
+		return 9, randx.Numeric
+	}
+}
+
 // GetUserCodeLength returns configured user_code length
 func (p *DefaultProvider) GetUserCodeLength(ctx context.Context) int {
-	k := p.getProvider(ctx).StringF(KeyDeviceAuthUserCodeEntropy, "medium")
-	profile, ok := userCodeEtropy[k]
-	if !ok {
-		p.l.WithError(errors.Errorf("Invalid user_code entropy: %s, allowed entropy values are: %s", k, strings.Join(slices.Collect(maps.Keys(userCodeEtropy)), ", ")))
-		return 0
+	if l := p.getProvider(ctx).Int(KeyDeviceAuthUserCodeLength); l > 0 {
+		return l
 	}
-	return profile.Length
+	k := p.getProvider(ctx).StringF(KeyDeviceAuthUserCodeEntropyPreset, "high")
+	l, _ := p.userCodeEntropyPreset(k)
+	return l
 }
 
-// GetDeviceAuthTokenPollingInterval returns configured user_code allowed symbols
+// GetUserCodeSymbols returns configured user_code allowed symbols
 func (p *DefaultProvider) GetUserCodeSymbols(ctx context.Context) []rune {
-	k := p.getProvider(ctx).StringF(KeyDeviceAuthUserCodeEntropy, "medium")
-	profile, ok := userCodeEtropy[k]
-	if !ok {
-		keys := []string{}
-		for k := range userCodeEtropy {
-			keys = append(keys, k)
-		}
-
-		p.l.WithError(errors.Errorf("Invalid user_code entropy: %s, allowed entropy values are: %s", k, keys))
-		return nil
+	if s := p.getProvider(ctx).String(KeyDeviceAuthUserCodeCharacterSet); s != "" {
+		return []rune(s)
 	}
-	return profile.Symbols
+	k := p.getProvider(ctx).StringF(KeyDeviceAuthUserCodeEntropyPreset, "high")
+	_, s := p.userCodeEntropyPreset(k)
+	return s
 }
 
 func (p *DefaultProvider) LoginURL(ctx context.Context) *url.URL {

driver/config/provider_test.go

@@ -326,7 +326,7 @@ func TestProviderValidates(t *testing.T) {
 	assert.Equal(t, true, c.GetEnforcePKCEForPublicClients(ctx))
 	assert.Equal(t, 2*time.Hour, c.GetDeviceAuthTokenPollingInterval(ctx))
 	assert.Equal(t, 8, c.GetUserCodeLength(ctx))
-	assert.Equal(t, randx.AlphaUpper, c.GetUserCodeSymbols(ctx))
+	assert.Equal(t, string(randx.AlphaUpper), string(c.GetUserCodeSymbols(ctx)))
 
 	// secrets
 	secret, err := c.GetGlobalSecret(ctx)
@@ -531,3 +531,23 @@ func TestJWTScopeClaimStrategy(t *testing.T) {
 	p.MustSet(ctx, KeyJWTScopeClaimStrategy, "both")
 	assert.Equal(t, jwt.JWTScopeFieldBoth, p.GetJWTScopeField(ctx))
 }
+
+func TestDeviceUserCode(t *testing.T) {
+	l := logrusx.New("", "")
+
+	t.Run("preset", func(t *testing.T) {
+		p := MustNew(t, l, configx.WithValue(KeyDeviceAuthUserCodeEntropyPreset, "low"))
+		assert.Equal(t, 9, p.GetUserCodeLength(t.Context()))
+		assert.Equal(t, string(randx.Numeric), string(p.GetUserCodeSymbols(t.Context())))
+	})
+
+	t.Run("explicit values", func(t *testing.T) {
+		length, charSet := 15, "foobarbaz1234"
+		p := MustNew(t, l, configx.WithValues(map[string]any{
+			KeyDeviceAuthUserCodeLength:       length,
+			KeyDeviceAuthUserCodeCharacterSet: charSet,
+		}))
+		assert.Equal(t, length, p.GetUserCodeLength(t.Context()))
+		assert.Equal(t, charSet, string(p.GetUserCodeSymbols(t.Context())))
+	})
+}

internal/.hydra.yaml

@@ -126,7 +126,8 @@ oauth2:
       cost: 20
   device_authorization:
     token_polling_interval: 2h
-    user_code_entropy: medium
+    user_code:
+      entropy_preset: medium
   pkce:
     enforced: true
     enforced_for_public_clients: true

spec/config.json

@@ -926,11 +926,39 @@
               "description": "Configures how often a non-interactive device should poll the device token endpoint, this is a purely informational configuration and does not enforce rate-limiting.",
               "examples": ["5s", "15s", "1m"]
             },
-            "user_code_entropy": {
-              "type": "string",
-              "description": "Sets the entropy for the user codes.",
-              "default": "medium",
-              "enum": ["high", "medium", "low"]
+            "user_code": {
+              "type": "object",
+              "description": "Configures the user code settings.",
+              "oneOf": [
+                {
+                  "properties": {
+                    "entropy_preset": {
+                      "type": "string",
+                      "description": "Presets for the user-code length and character set.",
+                      "enum": ["high", "medium", "low"]
+                    }
+                  },
+                  "required": ["entropy_preset"],
+                  "additionalProperties": false
+                },
+                {
+                  "properties": {
+                    "length": {
+                      "type": "integer",
+                      "description": "The length of the user code.",
+                      "minimum": 6
+                    },
+                    "character_set": {
+                      "type": "string",
+                      "description": "The character set to use for the user code. Provide the raw characters that should be used.",
+                      "examples": ["ABCDEFGHJKLMNPQRSTUVWXYZ23456789"],
+                      "minLength": 8
+                    }
+                  },
+                  "required": ["length", "character_set"],
+                  "additionalProperties": false
+                }
+              ]
             }
           }
         },