-
Notifications
You must be signed in to change notification settings - Fork 1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
oauth2: use client authn on device auth request
According to https://datatracker.ietf.org/doc/html/rfc8628#section-3.1, the device auth request must include client authentication. Fixes #685
- Loading branch information
Showing
5 changed files
with
245 additions
and
49 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,97 @@ | ||
// Copyright 2014 The Go Authors. All rights reserved. | ||
// Use of this source code is governed by a BSD-style | ||
// license that can be found in the LICENSE file. | ||
|
||
package internal | ||
|
||
import ( | ||
"context" | ||
"encoding/json" | ||
"fmt" | ||
"io" | ||
"net/url" | ||
"time" | ||
) | ||
|
||
// DeviceAuthResponse describes a successful RFC 8628 Device Authorization Response | ||
// https://datatracker.ietf.org/doc/html/rfc8628#section-3.2 | ||
// | ||
// This type is a mirror of oauth2.DeviceAuthResponse, with the only difference | ||
// being that in this struct `expires_in` isn't mapped to a timestamp. It solely | ||
// exists to break an otherwise-circular dependency. Other internal packages should | ||
// convert this DeviceAuthResponse into an oauth2.DeviceAuthResponse before use. | ||
type DeviceAuthResponse struct { | ||
// DeviceCode | ||
DeviceCode string `json:"device_code"` | ||
// UserCode is the code the user should enter at the verification uri | ||
UserCode string `json:"user_code"` | ||
// VerificationURI is where user should enter the user code | ||
VerificationURI string `json:"verification_uri"` | ||
// VerificationURIComplete (if populated) includes the user code in the verification URI. This is typically shown to the user in non-textual form, such as a QR code. | ||
VerificationURIComplete string `json:"verification_uri_complete,omitempty"` | ||
// Expiry is when the device code and user code expire | ||
Expiry int64 `json:"expires_in,omitempty"` | ||
// Interval is the duration in seconds that Poll should wait between requests | ||
Interval int64 `json:"interval,omitempty"` | ||
} | ||
|
||
func RetrieveDeviceAuth(ctx context.Context, clientID, clientSecret, deviceAuthURL string, v url.Values, authStyle AuthStyle, styleCache *AuthStyleCache) (*DeviceAuthResponse, error) { | ||
needsAuthStyleProbe := authStyle == AuthStyleUnknown | ||
if needsAuthStyleProbe { | ||
if style, ok := styleCache.lookupAuthStyle(deviceAuthURL); ok { | ||
authStyle = style | ||
needsAuthStyleProbe = false | ||
} else { | ||
authStyle = AuthStyleInHeader // the first way we'll try | ||
} | ||
} | ||
|
||
req, err := NewRequestWithClientAuthn("POST", deviceAuthURL, clientID, clientSecret, v, authStyle) | ||
if err != nil { | ||
return nil, err | ||
} | ||
req.Header.Set("Content-Type", "application/x-www-form-urlencoded") | ||
req.Header.Set("Accept", "application/json") | ||
|
||
t := time.Now() | ||
r, err := ContextClient(ctx).Do(req) | ||
|
||
if err != nil && needsAuthStyleProbe { | ||
// If we get an error, assume the server wants the | ||
// clientID & clientSecret in a different form. | ||
authStyle = AuthStyleInParams // the second way we'll try | ||
req, _ := NewRequestWithClientAuthn("POST", deviceAuthURL, clientID, clientSecret, v, authStyle) | ||
r, err = ContextClient(ctx).Do(req) | ||
} | ||
if needsAuthStyleProbe && err == nil { | ||
styleCache.setAuthStyle(deviceAuthURL, authStyle) | ||
} | ||
|
||
if err != nil { | ||
return nil, err | ||
} | ||
defer r.Body.Close() | ||
|
||
body, err := io.ReadAll(io.LimitReader(r.Body, 1<<20)) | ||
if err != nil { | ||
return nil, fmt.Errorf("oauth2: cannot auth device: %v", err) | ||
} | ||
if code := r.StatusCode; code < 200 || code > 299 { | ||
return nil, &RetrieveError{ | ||
Response: r, | ||
Body: body, | ||
} | ||
} | ||
|
||
da := &DeviceAuthResponse{} | ||
err = json.Unmarshal(body, &da) | ||
if err != nil { | ||
return nil, fmt.Errorf("unmarshal %s", err) | ||
} | ||
|
||
if da.Expiry != 0 { | ||
// Make a small adjustment to account for time taken by the request | ||
da.Expiry = da.Expiry + int64(t.Nanosecond()) | ||
} | ||
return da, nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
// Copyright 2014 The Go Authors. All rights reserved. | ||
// Use of this source code is governed by a BSD-style | ||
// license that can be found in the LICENSE file. | ||
|
||
package internal | ||
|
||
import ( | ||
"context" | ||
"io" | ||
"net/http" | ||
"net/http/httptest" | ||
"net/url" | ||
"testing" | ||
) | ||
|
||
func TestDeviceAuth_ClientAuthnInParams(t *testing.T) { | ||
styleCache := new(AuthStyleCache) | ||
const clientID = "client-id" | ||
const clientSecret = "client-secret" | ||
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { | ||
if got, want := r.FormValue("client_id"), clientID; got != want { | ||
t.Errorf("client_id = %q; want %q", got, want) | ||
} | ||
if got, want := r.FormValue("client_secret"), clientSecret; got != want { | ||
t.Errorf("client_secret = %q; want %q", got, want) | ||
} | ||
io.WriteString(w, `{"device_code":"code","user_code":"user_code","verification_uri":"http://example.device.com","expires_in":300,"interval":5}`) | ||
})) | ||
defer ts.Close() | ||
_, err := RetrieveDeviceAuth(context.Background(), clientID, clientSecret, ts.URL, url.Values{}, AuthStyleInParams, styleCache) | ||
if err != nil { | ||
t.Errorf("RetrieveDeviceAuth = %v; want no error", err) | ||
} | ||
} | ||
|
||
func TestDeviceAuth_ClientAuthnInHeader(t *testing.T) { | ||
styleCache := new(AuthStyleCache) | ||
const clientID = "client-id" | ||
const clientSecret = "client-secret" | ||
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { | ||
u, p, ok := r.BasicAuth() | ||
if !ok { | ||
io.WriteString(w, `{"error":"invalid_client"}`) | ||
w.WriteHeader(http.StatusBadRequest) | ||
} | ||
if got, want := u, clientID; got != want { | ||
io.WriteString(w, `{"error":"invalid_client"}`) | ||
w.WriteHeader(http.StatusBadRequest) | ||
} | ||
if got, want := p, clientSecret; got != want { | ||
io.WriteString(w, `{"error":"invalid_client"}`) | ||
w.WriteHeader(http.StatusBadRequest) | ||
} | ||
io.WriteString(w, `{"device_code":"code","user_code":"user_code","verification_uri":"http://example.device.com","expires_in":300,"interval":5}`) | ||
})) | ||
defer ts.Close() | ||
_, err := RetrieveDeviceAuth(context.Background(), clientID, clientSecret, ts.URL, url.Values{}, AuthStyleInHeader, styleCache) | ||
if err != nil { | ||
t.Errorf("RetrieveDeviceAuth = %v; want no error", err) | ||
} | ||
} | ||
|
||
func TestDeviceAuth_ClientAuthnProbe(t *testing.T) { | ||
styleCache := new(AuthStyleCache) | ||
const clientID = "client-id" | ||
const clientSecret = "client-secret" | ||
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { | ||
u, p, ok := r.BasicAuth() | ||
if !ok { | ||
io.WriteString(w, `{"error":"invalid_client"}`) | ||
w.WriteHeader(http.StatusBadRequest) | ||
} | ||
if got, want := u, clientID; got != want { | ||
io.WriteString(w, `{"error":"invalid_client"}`) | ||
w.WriteHeader(http.StatusBadRequest) | ||
} | ||
if got, want := p, clientSecret; got != want { | ||
io.WriteString(w, `{"error":"invalid_client"}`) | ||
w.WriteHeader(http.StatusBadRequest) | ||
} | ||
io.WriteString(w, `{"device_code":"code","user_code":"user_code","verification_uri":"http://example.device.com","expires_in":300,"interval":5}`) | ||
})) | ||
defer ts.Close() | ||
_, err := RetrieveDeviceAuth(context.Background(), clientID, clientSecret, ts.URL, url.Values{}, AuthStyleUnknown, styleCache) | ||
if err != nil { | ||
t.Errorf("RetrieveDeviceAuth = %v; want no error", err) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters