-
Notifications
You must be signed in to change notification settings - Fork 368
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Device grant flow (migrate to master) #701
base: master
Are you sure you want to change the base?
Conversation
eaca767
to
ce02ff3
Compare
Fix HMACPointer
Add own flow to the Device Grant
8343e02
to
0ff2699
Compare
- Split request handling between the Device (Non-Interactive Side) & the Device Authorize (Interactive Side)
There is a also a refactoring I would like to perform on the PKCE, let me know if it's needed: |
I'm still trying to understand why PKCE would be needed for the device authorization grant. PKCE would protect the device code, but the code is returned in-band in the initial response to the device authorization request. If an attacker could read that response, it could surely also read the final response from the token request. How does PKCE add more security here? |
I do agree that PKCE is a bit redondant as it's done in-band. Maybe he can explain better than I (cc @BuzzBumbleBee) |
In a lot of cases this type of flow is used on IoT devices to login to service (think BBC iPlayer / Disney+ / Netflix on android TV) those would likely be using an Auth fow with PKCE (client credentials could be extracted from the application). These services almost always have a fallback method of logging in that would be a normal username and password so not having PKCE support on this flow but available on others would add complexity to the end user application. I can see the limitations tho. Also another providers (like forgerock) support device flow with PKCE. |
Sorry, I didn't follow that argument. I agree that for the authorization code flow you need PKCE, and I also saw forgerock implementing PKCE for the device flow. As I see it:
All in all, I'd not implement PKCE for the device flow. |
I let @BuzzBumbleBee reply as he was the one requesting this feature. But I would tend to be on @hperl side on that one:
|
I think maybe I'm overcomplicating this, take this example. App on Android TV, it has the device flow and (as a fallback) has auth code + PKCE flow behind a "login with email button" I can't store the client secret I'm the application as it's then vulnerable to extraction. Without code challenge and verifier will hydra allow a client authentication method of none ? I'm pretty sure this was something I hit really early when investigating this (hydra wasn't allowing a none Auth type without PKCE) I have no objection to removing PKCE as long as it can support implementations where client secret storage isn't available. Again maybe I'm overcomplicating here :) |
Thanks for adding the use case. Client authentication is skipped for the device auth grant, see here: fosite/handler/rfc8628/token_endpoint_handler.go Lines 56 to 58 in b1fbd36
Does that resolve your requirement for PKCE? |
@hperl absolutely fine by me in that case 👍 |
So I can remove the PKCE device code ? |
Yes please. |
PKCE has been removed! ✅ |
I'm thrilled seeing how this three even four legged contribution is going! Keep up the good work! We're super interested in having Device flow in Hydra 💪 |
f99287b
to
10419a9
Compare
@BuzzBumbleBee Thanks for a great contribution. A small point for your consideration. I am probably over-thinking this. On my end, we implemented device flow on our Fosite fork (https://github.com/vivshankar/fosite/tree/v0.44.x) and used the following terminology - RFC8628DeviceAuthorize The main motivation was because we anticipated CIBA also requiring a user authorization handler endpoint for cases where the back-channel authentication mechanism is a link that is sent to the user via SMS and other transports, as opposed to a more secure push notification. This would behave exactly like the /user_authorize endpoint you would use for device flow except it is sent through a back channel transport mechanism. We felt "DeviceUser" didn't necessarily capture that this was the device flow spec. Again, this is an extremely minor point and you can feel free to ignore this 😄 . My motivation here is for us to not stay forked forever when this PR is merged. |
This feature is essential, it seems that Canonical already adopt it internally. Is there anything we can do to move it further ? |
Related Issue or Design Document
Checklist
If this pull request addresses a security vulnerability,
I confirm that I got green light (please contact security@ory.sh) from the maintainers to push the changes.
Further comments