Device Authorization Grant

CHANGELOG.md

@@ -6,6 +6,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 ### Added
+- Device Authorization Grant added (PR #1074)
 - GrantTypeInterface has a new function, `revokeRefreshTokens()` for enabling or disabling refresh tokens after use (PR #1375)
 - A CryptKeyInterface to allow developers to change the CryptKey implementation with greater ease (PR #1044)
 - The authorization server can now finalize scopes when a client uses a refresh token (PR #1094)

README.md

@@ -12,27 +12,29 @@
 Out of the box it supports the following grants:
 
 * Authorization code grant
-* Implicit grant
 * Client credentials grant
-* Resource owner password credentials grant
+* Device authorization grant
+* Implicit grant
 * Refresh grant
+* Resource owner password credentials grant
 
 The following RFCs are implemented:
 
 * [RFC6749 "OAuth 2.0"](https://tools.ietf.org/html/rfc6749)
 * [RFC6750 " The OAuth 2.0 Authorization Framework: Bearer Token Usage"](https://tools.ietf.org/html/rfc6750)
 * [RFC7519 "JSON Web Token (JWT)"](https://tools.ietf.org/html/rfc7519)
 * [RFC7636 "Proof Key for Code Exchange by OAuth Public Clients"](https://tools.ietf.org/html/rfc7636)
+* [RFC8628 "OAuth 2.0 Device Authorization Grant](https://tools.ietf.org/html/rfc8628)
 
 This library was created by Alex Bilbie. Find him on Twitter at [@alexbilbie](https://twitter.com/alexbilbie).
 
 ## Requirements
 
 The latest version of this package supports the following versions of PHP:
 
-* PHP 8.0
 * PHP 8.1
 * PHP 8.2
+* PHP 8.3
 
 The `openssl` and `json` extensions are also required.
 

composer.json

@@ -11,7 +11,9 @@
         "lcobucci/jwt": "^5.0",
         "psr/http-message": "^2.0",
         "defuse/php-encryption": "^2.4",
-        "lcobucci/clock": "^2.3 || ^3.0"
+        "ext-json": "*",
+        "lcobucci/clock": "^2.3 || ^3.0",
+        "psr/http-server-middleware": "^1.0"
     },
     "require-dev": {
         "phpunit/phpunit": "^9.6.15",

examples/README.md

@@ -51,3 +51,32 @@ curl -X "POST" "http://localhost:4444/refresh_token.php/access_token" \
 	--data-urlencode "client_secret=abc123" \
 	--data-urlencode "refresh_token={{REFRESH_TOKEN}}"
 ```
+
+## Testing the device authorization grant example
+
+Send the following cURL request. This will return a device code which can be exchanged for an access token.
+
+```
+curl -X "POST" "http://localhost:4444/device_code.php/device_authorization" \
+	-H "Content-Type: application/x-www-form-urlencoded" \
+	-H "Accept: 1.0" \
+	--data-urlencode "client_id=myawesomeapp" \
+	--data-urlencode "client_secret=abc123" \
+	--data-urlencode "scope=basic email"
+```	
+
+We have set up the example so that a user ID is already associated with the device code. In a production application you
+would implement an authorization view to allow a user to authorize the device.
+
+Issue the following cURL request to exchange your device code for an access token. Replace `{{DEVICE_CODE}}` with the 
+device code returned from your first cURL post:
+
+```
+curl -X "POST" "http://localhost:4444/device_code.php/access_token" \
+	-H "Content-Type: application/x-www-form-urlencoded" \
+	-H "Accept: 1.0" \
+	--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:device_code" \
+	--data-urlencode "device_code={{DEVICE_CODE}}" \
+	--data-urlencode "client_id=myawesomeapp" \
+	--data-urlencode "client_secret=abc123"
+```

examples/composer.json

@@ -3,7 +3,7 @@
         "slim/slim": "^3.12.3"
     },
     "require-dev": {
-        "league/event": "^2.2",
+        "league/event": "^3.0",
         "lcobucci/jwt": "^3.4.6 || ^4.0.4",
         "psr/http-message": "^1.0.1",
         "defuse/php-encryption": "^2.2.1",