-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: implement RFC 8628 #3851
base: master
Are you sure you want to change the base?
feat: implement RFC 8628 #3851
Conversation
You kept the Otherwise, it's great work! Would love to see this land into Hydra as IMO it's a much needed feature :) |
87c6315
to
349743e
Compare
349743e
to
e0b066f
Compare
I just noticed the design doc you linked, should have taken a look there first. |
OK, I think I now cleared up the confusion I had about the |
20555bd
to
140f75e
Compare
Apparently the tests are broken because of https://github.com/ory/fosite/pull/827/files#diff-b92270a81f4021a9cdf52dfcfaeac9b66254471b85fd5ef4101acdbad02e4296R161, not sure if it's a bug or if the hydra tests need to be updated. @zepatrik any tip on how to fix this? |
@nsklikas I have fixed the upstream fosite issue. I also thought about the overall flow a bit more, and I think this flow is a bit better wrt database strain (writes and storage). Also it is less complex from the bigger picture, but I agree that it might be more complex to implement. Did you consider something similar, and what are your thoughts? I would especially prefer the user and device codes to be in one table, so we can rely on the database to ensure the link between the two. Also happy to discus synchronously. |
140f75e
to
b7767f9
Compare
We considered merging the 2 tables (I think it was also discussed in the older PR). Merging the 2 tables would complicate the schema (you would need to have 2 expiration periods, 2 About persisting the flow table to the database at the beginning of the flow, we would be doing one less redirect (we could send the user directly to the login UI, they wouldn't need to go through Hydra). But we would have to:
I would rather we keep the design as it is, because we think that these changes wouldn't improve the current flow much (I understand that, depending on the load, merging the 2 tables can offer considerable improved performance) and it would complicate the implementation. Ideally I would rather we do not change the design of the current PR (unless you think that there is something wrong with it), to get something going and to avoid getting lost on the many changes that it introduces. We can always iterate on it on subsequent PRs, BUT I understand that if we want to change the database schema (by merging the tables), it would be best to do it as early as possible to avoid having to create a migration plan. |
I now realize that we wouldn't be avoiding the first redirect, as we want to setup csrf protection. I don't think I see the value of making this change (referring only to writing the flow in the database when creating the user code). |
Thanks for revisiting, I was just adding some follow-up clarifications. TL;DR we would like to do the refactor to have one-table for the codes, everything else looks good. We had even more discussions also with @alnr and basically came to these conclusions:
Overall, the refactor to use only one table should be worth it right away. We can also help out with the refactor if necessary. |
Thanks for the quick reply. Just to be clear, afaict refactoring the database affects both fosite and hydra. In fosite we should merge the Regarding the unique index, I am not sure if this is the right approach. We can have a PK with IMO the migration should look something like the following:
(Disclaimer: I haven't tested this, so there may be some issues with it) The reason there is a To optimize the
This should be a big performance improvement on the current db queries. @zepatrik I suggest that as a way forward:
|
I agree with the dependency here. I think now would be a good time to set up a call and discuss the schema in detail. I'll reach out via email. |
At the end of the User-Browser login flow part, It's good to redirect the user to a "post device login webpage" so the user knows he can safely close his Browser webpage and that the device is authenticated succesfully. I don't see this being mentioned, Is this handled ? |
Yes, this is part of the "redirect to URL from accept consent response". There will be a config setting for that page. |
Instead of updating the device session, we were over-writing it causing existing session info that were created from fosite to be lost.
02d39f7
to
7970287
Compare
7970287
to
8790af4
Compare
Implements the Device Authorization Grant to enable authentication for headless machines (see https://datatracker.ietf.org/doc/html/rfc8628)
Related issue(s)
Implements RFC 8628.
This PR is based on the work done on #3252, by @supercairos and @BuzzBumbleBee. That PR was based on an older version of Hydra and was missing some features/tests.
We have prepared a spec, that describes our design and implementation. We have tried to mimic the existing logic in Hydra and not make changes that would disrupt the existing workflows
Checklist
introduces a new feature.
contributing code guidelines.
vulnerability. If this pull request addresses a security vulnerability, I
confirm that I got the approval (please contact
security@ory.sh) from the maintainers to push
the changes.
works.
Further Comments
Notes:
memory
andpostgres
databases. The tests pass all of them.go.mod
.Testing
To test this you need to built the hydra image:
make docker
This will create an image with the name:
oryd/hydra:latest-sqlite
To run the flow you can use our UI, from https://github.com/canonical/identity-platform-login-ui/tree/hydra-device-test:
Create a client for Hydra:
docker exec -it identity-platform-login-ui-hydra-1 hydra create client --endpoint http://localhost:4445 --grant-type authorization_code,refresh_token,urn:ietf:params:oauth:grant-type:device_code --scope openid,offline_access,email,profile --token-endpoint-auth-method client_secret_post
Use that client to perform the device flow:
docker exec -it identity-platform-login-ui-hydra-1 hydra perform device-code --client-id <client-id> --client-secret <client-secret> -e http://localhost:4444 --scope openid,offline_access,email,profile
The user for logging in is:
test@example.com
test