Device-Flow-Proxy-Server icon indicating copy to clipboard operation
Device-Flow-Proxy-Server copied to clipboard

Published 20 hours ago verified publisher icon aaronpk

discovery metadata for Device-Flow-Proxy-Server

Open jbasney opened this issue 3 years ago • 0 comments

Hi,

Thanks very much for sharing this code. We found it from the links at https://oauth.net/2/device-flow/. It's very helpful for us on the https://www.cilogon.org/ project.

I wonder if you can provide some advice/guidance for us related to discovery metadata. My apologies if this isn't the right place to ask.

The situation arises if (for example) we have an issuer of https://example.com with metadata at https://example.com/.well-known/oauth-authorization-server containing:

 {
  "issuer": "https://example.com",
  "authorization_endpoint": "https://example.com/oauth2/authorize",
  "token_endpoint": "https://example.com/oauth2/token",
  "token_endpoint_auth_methods_supported": ["client_secret_basic"],
  "response_types_supported": ["code"],
  "grant_types_supported": ["authorization_code"]
 }

Then we configure the Device-Flow-Proxy-Server with:

BASE_URL=https://oauth-device-flow-demo.herokuapp.com
AUTHORIZATION_ENDPOINT=https://example.com/oauth2/authorize
TOKEN_ENDPOINT=https://example.com/oauth2/token

So we modify our metadata according to https://tools.ietf.org/html/rfc8628#section-4 as follows:

 {
  "issuer": "https://example.com",
  "authorization_endpoint": "https://example.com/oauth2/authorize",
  "device_authorization_endpoint": "https://oauth-device-flow-demo.herokuapp.com/device/code",
  "token_endpoint": "https://example.com/oauth2/token",
  "token_endpoint_auth_methods_supported": ["client_secret_basic"],
  "response_types_supported": ["code"],
  "grant_types_supported": ["authorization_code", "urn:ietf:params:oauth:grant-type:device_code"]
 }

It almost works, except after the client gets the device_code from https://oauth-device-flow-demo.herokuapp.com/device/code it sends it to https://example.com/oauth2/token instead of https://oauth-device-flow-demo.herokuapp.com/device/token. We need something like

  "device_token_endpoint": "https://oauth-device-flow-demo.herokuapp.com/device/token"

in our metadata, but https://tools.ietf.org/html/rfc8628#section-4 doesn't give us that option. And since the Device-Flow-Proxy-Server doesn't change the issuer, https://tools.ietf.org/html/rfc8414#section-3 doesn't seem to give us the option of hosting metadata for it at a different location, unless we follow the "application-specific" method.

Am I missing something? Thanks in advance for any advice/guidance you can give.

-Jim

jbasney avatar Aug 28 '20 18:08 jbasney