git-credential-manager icon indicating copy to clipboard operation
git-credential-manager copied to clipboard

Published 20 hours ago verified publisher icon git-ecosystem

Show QR code for OAuth device authentication

Open hickford opened this issue 2 years ago • 4 comments

When the OAuth device response includes the verification_uri_complete parameter, it would be neat to show a QR code to help open this URL on another device.

https://datatracker.ietf.org/doc/html/rfc8628#section-3.3.1

When "verification_uri_complete" is included in the authorization response, clients MAY present this URI in a non-textual manner using any method that results in the browser being opened with the URI, such as with QR (Quick Response) codes or NFC (Near Field Communication), to save the user from typing the URI.

For usability reasons, it is RECOMMENDED for clients to still display the textual verification URI ("verification_uri") for users who are not able to use such a shortcut. Clients MUST still display the "user_code", as the authorization server will require the user to confirm it to disambiguate devices or as remote phishing mitigation.

            +-------------------------------------------------+
            |                                                 |
            |  Scan the QR code or, using     +------------+  |
            |  a browser on another device,   |[_]..  . [_]|  |
            |  visit:                         | .  ..   . .|  |
            |  https://example.com/device     | . .  . ....|  |
            |                                 |.   . . .   |  |
            |  And enter the code:            |[_]. ... .  |  |
            |  WDJB-MJHT                      +------------+  |
            |                                                 |
            +-------------------------------------------------+

hickford avatar Oct 13 '23 13:10 hickford

I haven't yet found any OAuth servers that populate verification_uri_complete to test this.

@hpsin Have you considered populating verification_uri_complete in GitHub's OAuth device flow response? https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#device-flow

hickford avatar Oct 13 '23 13:10 hickford

Prototype implementation in git-credential-oauth using qrencode: https://github.com/hickford/git-credential-oauth/pull/41

hickford avatar Oct 13 '23 17:10 hickford

No, we do not wish to allow deep-linking into the middle of the flow. It makes attacks on the device code flow even easier.

hpsin avatar Oct 13 '23 18:10 hpsin

I haven't yet found any OAuth servers that populate verification_uri_complete to test this.

A possible implementation in GCM could try and use verification_uri_complete to create the QR code, and if not present just use verification_uri instead to provide still some convenience – you don't need to type out the URL again..

Aside: of course this is assuming you're not already on the same device you wish to auth on, where you could just click the link in the GUI prompt or terminal.

mjcheetham avatar Oct 24 '23 17:10 mjcheetham