feat: implement RFC 8628

[nsklikas]

This PR is a continuation of #3851. I have created it from my own personal repo and I have invited people from Ory to contribute so that we can speed up things. I think that most of the comments in the old PR were resolved, but I can copy them to this PR if we wish to keep the discussion history.

Implements the Device Authorization Grant to enable authentication for headless machines (see https://datatracker.ietf.org/doc/html/rfc8628)

Related issue(s)

Implements RFC 8628.

This PR is based on the work done on #3252, by @supercairos and @BuzzBumbleBee. That PR was based on an older version of Hydra and was missing some features/tests.

We have prepared a spec, that describes our design and implementation. We have tried to mimic the existing logic in Hydra and not make changes that would disrupt the existing workflows

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security vulnerability, I
  confirm that I got the approval (please contact
  security@ory.sh) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

Further Comments

Notes:

• The current implementation has been manually tested only for memory and postgres databases. The tests pass all of them.
• Fosite is installed from our fork to ease testing. Once the relevant PR in fosite is merged, we will update go.mod.

Testing

To test this you need to built the hydra image:

make docker

This will create an image with the name: oryd/hydra:latest-sqlite

To run the flow you can use our UI, from https://github.com/canonical/identity-platform-login-ui/tree/hydra-device-test:

git clone git@github.com:canonical/identity-platform-login-ui.git -b hydra-device-test
cd identity-platform-login-ui/
# The image name is hard-coded in the docker-compose file
docker compose up --remove-orphans --force-recreate -d

Create a client for Hydra:

docker exec -it identity-platform-login-ui-hydra-1 hydra create client   --endpoint http://localhost:4445   --grant-type authorization_code,refresh_token,urn:ietf:params:oauth:grant-type:device_code --scope openid,offline_access,email,profile --token-endpoint-auth-method client_secret_post

Use that client to perform the device flow:

docker exec -it identity-platform-login-ui-hydra-1 hydra perform device-code --client-id <client-id> --client-secret <client-secret> -e http://localhost:4444 --scope openid,offline_access,email,profile

The user for logging in is:

• username: test@example.com
• password: test

[aeneasr]

Very nice! I'll push some minor changes from my side and left a couple of comments.

I primarily cleaned up error handling to make it standards compliant

[aeneasr]

Is this testing if we can accept the same device challenge twice? If so, we need two tests:

1. Test if we can accept the same device challenge twice and that the device verifier is valid
2. Test if we can accept the device challenge once, use it, then try again, and fail

[nsklikas]

I think that 1 is handled by this test

About 2, a device challenge can be used multiple times. The reason for that is that only the consent challenge ID is unique in the database. Multiple flows with the same device challenge can be persisted in the database, as long as they have a different consent challenge ID and are associated with a different user_code. I think that the same is true for the login_challenge.

Do you think that the device_challenge should be unique?

[aeneasr]

Yes, the device_challenge must be unique, otherwise we have a potential replay attack vector

[aeneasr]

Maybe you can add a test case here where a device auth code is already used

[aeneasr]

Change this to UPDATE ... SET accepted WHER nid=... AND request_id = ? ?

[aeneasr]

Oh, I'm sorry, it appears that there are quite a lot of values being copied around here

[aeneasr]

Do you know which values need to be updated here? Is it all of them? Or just some?

[nsklikas]

I'm not sure to which line you are referring to.

[aeneasr]

Damn, looks like my comment was saved on the wrong file. I'm resolving this

[aeneasr]

This looks copy pasted - could you make this list a variable for re-use?

[nsklikas]

It's taken from https://github.com/ory/fosite/blob/master/handler/openid/flow_explicit_auth.go#L29. I will make it a variable here, should I add a comment with a link to fosite?

[aeneasr]

A few more comments, but I think we're getting quite close. Preventing replay attacks definitely needs to be addressed before merge

[aeneasr]

You can remove all files in this directory

[aeneasr]

Let me know when this is good for another review

[nsklikas]

@aeneasr sorry for the late response, everything should be good for another review now.

[aeneasr]

I tried performing the flow using the included CLI tooling, but it failed with this:

go run . perform device-code --endpoint  http://127.0.0.1:4444 --client-id $code_client_id --client-secret $code_client_secret
Failed to perform the device authorization request
%!(EXTRA string=oauth2: cannot fetch token: 401 Unauthorized
Response: {"error":"invalid_client","error_description":"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The OAuth 2.0 Client supports client authentication method 'client_secret_basic', but method 'client_secret_post' was requested. You must configure the OAuth 2.0 client's 'token_endpoint_auth_method' value to accept 'client_secret_post'."})exit status 1

1. It appears that the error message is not properly formatted (thus the "extra" part)
2. The client should per default use "client_secret_basic" like the other commands

[aeneasr]

Or does device auth always use post form submit? From looking at the go oauth2 library it appears to be the case?

[aeneasr]

Would it be possible to get ory/hydra-login-consent-node#123 ready to merge so that the quickstart can be used for the device auth code flow? :)

[aeneasr]

I've fixed up the node PR: ory/hydra-login-consent-node#161

And made the CLI changes.

The node PR is still missing the device auth complete screen which we should add I added the screen - please verify it's correctness

Otherwise it seems like everything is working! I was able to perform the device auth code flow end to end :)

ps: the node pr includes a pre-release of the SDK that has the device auth code flow methods included

[aeneasr]

One last thing we need is some docs. I was thinking a dedicated page for this grant type:

1. Brief introduction
2. End to end example
3. Config options
4. Implementation of a custom ui for the verification and success screen

@christiannwamba anything I missed?

[nsklikas]

Or does device auth always use post form submit? From looking at the go oauth2 library it appears to be the case?

It is a little bit weird. I think there was a discussion around this in the original PR as well, but I can't fine it right now. RFC section 3.1 says:

The client authentication requirements of Section 3.2.1 of [RFC6749]
apply to requests on this endpoint, which means that confidential
clients (those that have established client credentials) authenticate
in the same manner as when making requests to the token endpoint, and
public clients provide the "client_id" parameter to identify
themselves.

Reading this, I understand that the client must authenticate when making the device authz request. But the golang oauth2 lib does not provide client authentication in that request. There is an open issue about it golang/oauth2#685, that hasn't been addressed for quite some time. My guess is that most people will use public clients for the device flow and that's why they don't care. I think that some of the public providers don't require client authn for this request either, so I was conflicted about whether I should add it or not.

We could make the CLI work by patching the http client used to add the basic auth header, I agree that this would provide better UX. I will give it a shot.

[christiannwamba]

One last thing we need is some docs. I was thinking a dedicated page for this grant type:

1. Brief introduction
2. End to end example
3. Config options
4. Implementation of a custom ui for the verification and success screen

@christiannwamba anything I missed?

I think that covers it. Should go under the guides section.

[aeneasr]

Or does device auth always use post form submit? From looking at the go oauth2 library it appears to be the case?

It is a little bit weird. I think there was a discussion around this in the original PR as well, but I can't fine it right now. RFC section 3.1 says:

The client authentication requirements of Section 3.2.1 of [RFC6749]
apply to requests on this endpoint, which means that confidential
clients (those that have established client credentials) authenticate
in the same manner as when making requests to the token endpoint, and
public clients provide the "client_id" parameter to identify
themselves.

Reading this, I understand that the client must authenticate when making the device authz request. But the golang oauth2 lib does not provide client authentication in that request. There is an open issue about it golang/oauth2#685, that hasn't been addressed for quite some time. My guess is that most people will use public clients for the device flow and that's why they don't care. I think that some of the public providers don't require client authn for this request either, so I was conflicted about whether I should add it or not.

We could make the CLI work by patching the http client used to add the basic auth header, I agree that this would provide better UX. I will give it a shot.

It‘s fine - the device flow should actually only use public clients as end devices can‘t keep secrets. I confirmed that this works.

[aeneasr]

What I did:

1. Clean up the SQL migrations - there were a couple of NULL values that should not be null and inconsistencies between the database variants.
2. Change the config structure for device URLs.
3. Add code docs with my understanding of the business logic and simplify/clean up a bit.
4. Wrapped writes in performOAuth2DeviceVerificationFlow in a transaction to reduce latency.

What I found and what I believe needs to be addressed:

1. It does not appear to be possible to reject a device user auth code. I also noticed that the field DeviceError is unused (probably because the functionality is missing).
2. Please verify that device_authorization_grant_id_token_lifespan (and refresh, access) are effective with a test.
3. DeviceUserCodeAcceptedAt is unused as far as I can tell. When in doubt, leave it out :)
4. Clean of up device table is missing - we are not removing the row like we do with the oidc tables post-use and there is no clean up process. This means that in production you'll quickly run into DB growth issues. Ideally, the hydra_oauth2_device_auth_codes row gets removed upon use.
5. The polling interval is purely informational and is part of the OAuth2 response. Is that understanding correct? If so, please document it as such in the config schema JSON.
6. Looking at the code I was wondering if we can somehow create a sequence where in HandleOAuth2DeviceAuthorizationRequest we can bypass device/login/consent verifiation? I've tried to hack around this but in my view it is not possible - please confirm:
   1. You can not get a login challenge without device verification, and you can't get a login verifier without a login challenge
   2. The same applies to the consent challenge - without a login verifier you can't get a consent verifier
7. Can you please add missing cypress e2e tests for a public client performing the flow?
8. In the database, user_code is leaking into request_url in the flow table (and potentially other tables). This isn't great because the user code should really only be available to the user.
9. It took me quite some time to understand what is happening with CreateLoginRequest which now accepts a flow as well. As far as I understand, this is because we now create the flow (sometimes) as part of the device flow which happens before login. I'm wondering if it wouldn't be simpler to just use the existing device flow and update the state, instead of calling CreateLoginRequest.
10. While we have a fallback URL for device success (oauth2/fallbacks/device/done), a fallback URL for device verification is missing (oauth2/fallbacks/device).

[aeneasr]

Looks like I messed up the tests - very sorry about that! I‘m currently PTO but trying to squeeze it in :)

[nsklikas]

Looks like I messed up the tests - very sorry about that! I‘m currently PTO but trying to squeeze it in :)

Nw, I will try to fix them

[nsklikas]

What I found and what I believe needs to be addressed:

1. [ ]  It does not appear to be possible to reject a device user auth code. I also noticed that the field `DeviceError` is unused (probably because the functionality is missing).

Not implementing the reject endpoint was part of the plan. I thought that it could be added at a later time if needed. The DeviceError should be used by the reject endpoint (once implemented), I will remove it for now since we are missing that functionality.

2. [ ]  Please verify that  `device_authorization_grant_id_token_lifespan` (and refresh, access) are effective with a test.

It should be tested by https://github.com/nsklikas/hydra/blob/canonical-master/oauth2/oauth2_device_code_test.go#L624

3. [ ]  `DeviceUserCodeAcceptedAt` is unused as far as I can tell. When in doubt, leave it out :)

Good catch, removed

4. [ ]  Clean of up device table is missing - we are not removing the row like we do with the oidc tables post-use and there is no clean up process. This means that in production you'll quickly run into DB growth issues. Ideally, the `hydra_oauth2_device_auth_codes` row gets removed upon use.

I thought that the tables are cleaned asynchronously by hydra janitor. Am I missing something? The janitor work was supposed to be handled on a different PR.

5. [ ]  The polling interval is purely informational and is part of the OAuth2 response. Is that understanding correct? If so, please document it as such in the config schema JSON.

That's correct, will update the schema

6. [ ]  Looking at the code I was wondering if we can somehow create a sequence where in `HandleOAuth2DeviceAuthorizationRequest` we can bypass device/login/consent verifiation? I've tried to hack around this but in my view it is not possible - please confirm:
   
   1. You can not get a login challenge without device verification, and you can't get a login verifier without a login challenge
   2. The same applies to the consent challenge - without a login verifier you can't get a consent verifier

It shouldn't be possible to do that, if you were able to get a login_verifier/consent_challenge/consent_verifier then that would mean that you would be able to do that for the common auth_code flow as well, as we are relying on the same logic/methods. Going through the code, you should not be able to get a login_challenge if you don't have a valid device_verifier.

7. [ ]  Can you please add missing cypress e2e tests for a public client performing the flow?

AFAICT the device flow is not supported by the simple-oauth2 lib, which is used in the e2e tests. I will try to implement the calls on my own.

8. [ ]  In the database, `user_code` is leaking into `request_url` in the flow table (and potentially other tables). This isn't great because the user code should really only be available to the user.

Good point, I will redact it.

9. [ ]  It took me quite some time to understand what is happening with `CreateLoginRequest` which now accepts a flow as well. As far as I understand, this is because we now create the flow (sometimes) as part of the device flow which happens before login. I'm wondering if it wouldn't be simpler to just use the existing device flow and update the state, instead of calling `CreateLoginRequest`.

Great point, I will create CreateLoginRequestFromDeviceRequest to handle this case.

10. [ ]  While we have a fallback URL for device success (`oauth2/fallbacks/device/done`), a fallback URL for device verification is missing (`oauth2/fallbacks/device`).

Right, will add it

[aeneasr]

Ideally we would not need the janitor (although the janitor should still try to clean the table) but instead the row is deleted when the token exchange happens:

• Add janitor clean up
• Clean up row after use

Without DB clean up it won't be possible to cut a release as it will cause very large DB growth very quickly

[aeneasr]

Regarding rejection - I'm not sure how others handle it. Is it possible to reject the device screen in other implementations?

It probably should at least programmatically be possible - for example when the device verification endpoint decides "uhhhm nope, this should not be handled by that client". But might be a bit of a fabricated use case. I would be ok not having a reject endpoint, I think.

[nsklikas]

Ideally we would not need the janitor (although the janitor should still try to clean the table) but instead the row is deleted when the token exchange happens:

* Add janitor clean up

* Clean up row after use

Without DB clean up it won't be possible to cut a release as it will cause very large DB growth very quickly

No problem with adding it, but can you point me to where this happens for the other oauth2 tokens as I can't really find it.

To be clear what you suggest is that instead of marking the token as used after it is accepted/rejected (soft delete), we should instead delete the row (hard delete), right?

Also keep in mind that this won't protect you from someone malicious who will spam the device_authorization endpoint.

[nsklikas]

Regarding rejection - I'm not sure how others handle it. Is it possible to reject the device screen in other implementations?

It probably should at least programmatically be possible - for example when the device verification endpoint decides "uhhhm nope, this should not be handled by that client". But might be a bit of a fabricated use case. I would be ok not having a reject endpoint, I think.

I think that most provider simply have a button for accepting the code, no button for rejecting it.

The [RFC}(https://datatracker.ietf.org/doc/html/rfc8628#section-3.3) says:

The authorization server prompts the end user to
identify the device authorization session by entering the "user_code"
provided by the client. The authorization server should then inform
the user about the action they are undertaking and ask them to
approve or deny the request. Once the user interaction is complete,
the server instructs the user to return to their device.

In Hydra it is possible to implement this behavior with the consent API. I am not sure if the reject endpoint will actually ever be used or not. IMHO it is a nice-to-have, but not required for an MVP.

[aeneasr]

Hm the spec seems to clearly indicate we need a rejection option. At this point I would like to clarify that my personal expectation is to land this feature/PR with all important aspects covered - I understand everyone has different expectations on what MVP means but for Ory Hydra it implies stability, docs, tests and spec compliance :) That‘s why this project is so popular! As I said before - we are super close and I think from the business logic aspect we have almost all bases covered :)Am 11.02.2025 um 10:34 schrieb Nikos Sklikas ***@***.***>: Regarding rejection - I'm not sure how others handle it. Is it possible to reject the device screen in other implementations? It probably should at least programmatically be possible - for example when the device verification endpoint decides "uhhhm nope, this should not be handled by that client". But might be a bit of a fabricated use case. I would be ok not having a reject endpoint, I think. I think that most provider simply have a button for accepting the code, no button for rejecting it. The [RFC}(https://datatracker.ietf.org/doc/html/rfc8628#section-3.3) says: The authorization server prompts the end user to identify the device authorization session by entering the "user_code" provided by the client. The authorization server should then inform the user about the action they are undertaking and ask them to approve or deny the request. Once the user interaction is complete, the server instructs the user to return to their device. In Hydra it is possible to implement this behavior with the consent API. I am not sure if the reject endpoint will actually ever be used or not. IMHO it is a nice-to-have, but not required for an MVP. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>

[aeneasr]

It would get removed on token exchange - so after the consent flow is finished. You can search for DeleteOpenIDSession (or similar) in Fosite for this!Am 11.02.2025 um 10:28 schrieb Nikos Sklikas ***@***.***>: Ideally we would not need the janitor (although the janitor should still try to clean the table) but instead the row is deleted when the token exchange happens: * Add janitor clean up * Clean up row after use Without DB clean up it won't be possible to cut a release as it will cause very large DB growth very quickly No problem with adding it, but can you point me to where this happens for the other oauth2 tokens as I can't really find it. To be clear what you suggest is that instead of marking the token as used after it is accepted/rejected (soft delete), we should instead delete the row (hard delete), right? Also keep in mind that this won't protect you from someone malicious who will spam the device_authorization endpoint. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>

[nsklikas]

It would get removed on token exchange - so after the consent flow is finished. You can search for DeleteOpenIDSession (or similar) in Fosite for this!

But that is different, user_code/device_code are similar to the auth_code. The hydra_oauth2_oidc holds information about the session. I don't see any of the oauth2 tokens being deleted when they are used (one could argue that you should keep the tokens for auditing reasons and delete them afterwards). authorization_codes and refresh_tokens stay in the database until janitor deletes them.

My question is why would you expect the database to grow that big with the device tokens and not with any of the other tokens?

[nsklikas]

Hm the spec seems to clearly indicate we need a rejection option. At this point I would like to clarify that my personal expectation is to land this feature/PR with all important aspects covered - I understand everyone has different expectations on what MVP means but for Ory Hydra it implies stability, docs, tests and spec compliance :) That‘s why this project is so popular! As I said before - we are super close and I think from the business logic aspect we have almost all bases covered :)

Agreed, what I meant is that IMO the current implementation is RFC compliant. approve or deny the request sounds like consent to me and that is already implemented. deny the request != reject the user_code, rejecting the user_code is the functionality that we are missing

AFAICT rejecting the user_code would be part of the consent UI or it would require a new UI screen to be implemented that would be shown before login (probably does not make much sense). We could enhance the reject consent API to also invalidate the user_code, but I am not sure I like this.

[aeneasr]

Hm the spec seems to clearly indicate we need a rejection option. At this point I would like to clarify that my personal expectation is to land this feature/PR with all important aspects covered - I understand everyone has different expectations on what MVP means but for Ory Hydra it implies stability, docs, tests and spec compliance :) That‘s why this project is so popular! As I said before - we are super close and I think from the business logic aspect we have almost all bases covered :)

Agreed, what I meant is that IMO the current implementation is RFC compliant. approve or deny the request sounds like consent to me and that is already implemented. deny the request != reject the user_code, rejecting the user_code is the functionality that we are missing

Fair point - the current behavior is fine then in my view!

[aeneasr]

It would get removed on token exchange - so after the consent flow is finished. You can search for DeleteOpenIDSession (or similar) in Fosite for this!

But that is different, user_code/device_code are similar to the auth_code. The hydra_oauth2_oidc holds information about the session. I don't see any of the oauth2 tokens being deleted when they are used (one could argue that you should keep the tokens for auditing reasons and delete them afterwards). authorization_codes and refresh_tokens stay in the database until janitor deletes them.

My question is why would you expect the database to grow that big with the device tokens and not with any of the other tokens?

The authorization code is kept around because we need it for re use detection. The oidc, pkce tables are transient tables which get cleaned up after the state is no longer required.

For the user code, do we need re use detection as well? Meaning that re using the code would invalidate the previous issued tokens? If not, we can and probably should delete it once the token exchange is completed so that the code is freed from the unique constraint. In my understanding, the user/device code is also transient and only needed to perform token exchange. Is that correct?

[aeneasr]

ps: we have customers with several TB of data in the individual tables so cleaning them up is definitely important :)

[nsklikas]

The authorization code is kept around because we need it for re use detection. The oidc, pkce tables are transient tables which get cleaned up after the state is no longer required.

For the user code, do we need re use detection as well? Meaning that re using the code would invalidate the previous issued tokens? If not, we can and probably should delete it once the token exchange is completed so that the code is freed from the unique constraint. In my understanding, the user/device code is also transient and only needed to perform token exchange. Is that correct?

Understood, yes they are transient. Given that retries are part of the flow, I think that re-use detection is not needed.

[nsklikas]

@aeneasr all of your comments should be resolved now except for:

• cypress e2e tests
• docs

AFAICT ory/hydra-login-consent-node#161 needs to be merged, in order to implement the e2e tests. Is there anything that I should do on that end?

I will try to open a PR for the docs soon.

[aeneasr]

@aeneasr all of your comments should be resolved now except for:

• cypress e2e tests
• docs

AFAICT ory/hydra-login-consent-node#161 needs to be merged, in order to implement the e2e tests. Is there anything that I should do on that end?

I will try to open a PR for the docs soon.

Just let me know if the 161 implementation is correct - then I‘ll merge that one!

[nsklikas]

Pushed cypress tests for the device flow. I used ory/hydra-login-consent-node#161 to run them, everything seems to work fine. Since there is no success page in that implementation, I set the success page to something in the client app to make the test implementation easier, I hope that's fine.

[nsklikas]

The tests should be fixed when the hydra-login-consent-node PR is merged. I also opened a PR for the docs. It will need some work, but most of the required information should be there.

[aeneasr]

I've pushed the missing success screen, sorry about that!

[nsklikas]

AFAICT a new release is needed for hydra-login-consent-node as well in order for the tests to pass.

[aeneasr]

It uses master IIRC, so no release required

[nsklikas]

AFAICT it uses the latest release on the npm store (see https://github.com/ory/hydra/blob/master/test/e2e/oauth2-client/package.json#L17)

[aeneasr]

I see, I probably confused it with kratos CI - let’s see if this passes: https://github.com/ory/hydra-login-consent-node/releases/tag/v2.4.0-alpha.0

[nsklikas]

I see, I probably confused it with kratos CI - let’s see if this passes: https://github.com/ory/hydra-login-consent-node/releases/tag/v2.4.0-alpha.0

It failed, seems like it's missing a token or something