feat: OAuth 2.0 Device Authorization Grant #2416

[supercairos]

This PR adds the Device Auth Grant to Ory/Hydra
RFC: https://www.rfc-editor.org/rfc/rfc8628

Related issue(s)

This PR is related to #2416

See also fosite PR:
https://github.com/ory/fosite/pull/701/files

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security. vulnerability, I
  confirm that I got green light (please contact
  security@ory.sh) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

[BuzzBumbleBee]

@aeneasr by the way of introduction I am the cloud native product manager at Canonical (the publisher of Ubuntu) We use Hydra internally and are also interested in this feature landing in the product. Is there anything we can do to help getting the work over the line? (We have an engineering team focused on identity management which could provide support)

If their is a chance to get this merged I can put some time into cleaning up my original implementation, up to now I think @supercairos has been keeping the MR alive as they are using this feature now.

I can also run you or other devs through the implementation

[alnr]

Just a quick update: this is still on our plate and we want to move this forward. Since we’ll own the code after it’s merged, we must allocate resources to really make sure we’re completely confident in how the feature integrates in hydra.

I’d expect some movement here soon.

Thanks massively again for the contribution and your patience!

[shipperizer]

@aeneasr by the way of introduction I am the cloud native product manager at Canonical (the publisher of Ubuntu) We use Hydra internally and are also interested in this feature landing in the product. Is there anything we can do to help getting the work over the line? (We have an engineering team focused on identity management which could provide support)

@alnr just to reinforce the point above, i'm the lead engineer of the aforementioned IAM team at canonical, we are more than happy to divert some resources and help on the effort

If their is a chance to get this merged I can put some time into cleaning up my original implementation, up to now I think @supercairos has been keeping the MR alive as they are using this feature now.

I can also run you or other devs through the implementation

@BuzzBumbleBee yes please, that would be great, feel free to get in touch, here's my email alessandro.cabbia@canonical.com and we can take it from there

[supercairos]

Hi all, would love to see this merged!
And would be happy to help on the effort :)
I hope on Monday to port our patch on the latest Hydra HEAD commit.

[supercairos]

Feel free to check the sister PR also @Fosite:
ory/fosite#701

[supercairos]

this code is missing quite a few tests but I can definitly work on this if it helps having this PR merged :)

[shipperizer]

@supercairos happy to contribute if help is needed, just need a bit of direction on how and where

[hperl]

Thank you very much for all the hard work! I finally managed to do a pass over the Hydra and Fosite PRs. I have left some comments, questions and ideas to improve this. Thank you for looking into this!

[hperl]

Confusing name. Are we requesting a device?

[hperl]

I guess it makes sense now, we ask the user to either enter the user_code or confirm the code sent in the query param.

[hperl]

Should we have two different paths, one for the user and one for the device?

E.g., /oauth/device/auth for the POST from the device, and /oauth/device/verify for the user to verify the device?

[hperl]

Additionally, I think it might be useful to handle user POST against the verification_url (https://datatracker.ietf.org/doc/html/rfc8628#section-3.3) so that a UI can render a simple form that will submit the user_code against the same endpoint.

Additionally, I think it might be useful to be able to configure a shorter version of this URL. /oauth2/device/auth is already quite long if you have to type it on a mobile, plus some origin. How about /device (as in the spec), or just /dev, or /oauth2/dev if you want to stick with the namespacing? But really, it should be configurable IMHO.

WDYT?

[supercairos]

Yes, that's one of the missing feature of this PR.
It shoudn't be hard to implemenent but I had to revert this particular feature because it was not working after the 2.1.1 merge.

We (at shadow) use a UI trick on the TV side to render a shorter URL (using a minified URL) but yes it should be configurable 👍

I can work on that after having fixed all the other PR reviews :)

[hperl]

Additionally, I think it might be useful to handle user POST against the verification_url (https://datatracker.ietf.org/doc/html/rfc8628#section-3.3) so that a UI can render a simple form that will submit the user_code against the same endpoint.

Please ignore this remark, I now understand your approach with the device verifier, which is using a POST to the UI and then an admin API to bind the device to the flow.

[hperl]

Tests?

[supercairos]

Sure it's missing quite a lots of tests :)

I'll add them asap :)

[hperl]

Thank you!

[hperl]

Tests?

[hperl]

Remove these if you agree we can use user_code.

Otherwise, we'll need tests ;).

[hperl]

OK, now I know we need this.

[hperl]

Tests for all new methods in this file please.

[hperl]

Please check if we really need two tables here :).

[supercairos]

In fact, the best would be to use the flow table as it can be seen as part of a login flow but since this MR was done before the 2.x we never took the time to update the database scheme.

But yes i believe there can be only one DB for both device_code and user_code as they are tied together

[supercairos]

Here are some tools help develop this feature:

1. A fake client to test the DAG: https://github.com/supercairos/oauth-device-flow-client-sample
2. A Hydra-UI that implement the DAG: https://github.com/supercairos/hydra-login-consent-node

[lltr]

Looking forward to this being out! Can't find any other open source provider supporting this.

[RomanHotsiy]

Hey folks 👋. Any plans to get it moving? Do you need any help?