Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: use /token endpoint to get tokens with device flow #2010

Merged
merged 3 commits into from
May 1, 2021
Merged

fix: use /token endpoint to get tokens with device flow #2010

merged 3 commits into from
May 1, 2021

Conversation

nabokihms
Copy link
Member

@nabokihms nabokihms commented Feb 20, 2021
edited
Loading

Signed-off-by: m.nabokikh [email protected]

Overview

rfc6749#section-3.2

  • Make /token endpoint responding to requests with device auth grant
  • Allow only POST requests /token endpoint
  • Do not search for a client in storage if an invalid grant type is provided

What this PR does / why we need it

Fixes #1953
As was mentioned in the issue above, the main problem that the token endpoint is not discoverable.

Special notes for your reviewer

This MR leaves the possibility to get a token from the /device/token endpoint.

Does this PR introduce a user-facing change?

There are no breaking changes, but it will be better to avoid using /device/token endpoint in the feature.

Make `/token` endpoint responding to requests with device auth grant. The `/device/token` endpoint becomes DEPRECATED.

@sagikazarmark
Copy link
Member

Should we deprecate the /device/token endpoint?

@sagikazarmark sagikazarmark self-requested a review February 20, 2021 12:15
@sagikazarmark sagikazarmark added this to the v2.29.0 milestone Feb 20, 2021
@nabokihms
Copy link
Member Author

Yes, I think so. I left a to-do but did nothing with deprecation. Maybe adding some sort of warning on endpoint call will be good enough.
"Some of Dex clients called the deprecated /device/token endpoint. It will be removed in a future release."

Something like this.

@sagikazarmark
Copy link
Member

For me, deprecation would mean

  • a comment in the code somewhere
  • potentially a warning log message
  • a note in the release notes

@nabokihms nabokihms force-pushed the switch-device-token-endpoint-to-token branch from ab8b38b to 9ed5cc0 Compare February 24, 2021 13:24
sagikazarmark
sagikazarmark requested changes Feb 24, 2021
View reviewed changes
server/deviceflowhandlers.go Outdated
Comment on lines 155 to 156
s.logger.Warn(`Request to the deprecated "/device/token" endpoint was received.`)
s.logger.Warn(`The "/device/token" endpoint will be removed in a future release.`)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we make this a single log line? And maybe make the message a bit more concise?

server/server_test.go Outdated
@@ -1583,7 +1583,7 @@ func TestOAuth2DeviceFlow(t *testing.T) {

// Hit the Token Endpoint, and try and get an access token
tokenURL, _ := url.Parse(issuer.String())
tokenURL.Path = path.Join(tokenURL.Path, "/device/token")
tokenURL.Path = path.Join(tokenURL.Path, "/token")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add a test with the old path to make sure it's still functional?

server/deviceflowhandlers.go Outdated
@@ -151,7 +151,10 @@ func (s *Server) handleDeviceCode(w http.ResponseWriter, r *http.Request) {
}
}

func (s *Server) handleDeviceToken(w http.ResponseWriter, r *http.Request) {
func (s *Server) handleDeviceTokenGrant(w http.ResponseWriter, r *http.Request) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this name is a bit confusing and ambiguous with the handleDeviceToken name. Maybe call it something like deprecatedDeviceTokenHandler or handleDeviceTokenDeprecated.

@nabokihms nabokihms requested a review from sagikazarmark March 8, 2021 04:49
sagikazarmark
sagikazarmark approved these changes Mar 25, 2021
View reviewed changes
Copy link
Member

@sagikazarmark sagikazarmark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks

@justenwalker
Copy link

@sagikazarmark Anything preventing this from being merged/closed?

@sagikazarmark sagikazarmark merged commit 94a2b3e into dexidp:master May 1, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sagikazarmark sagikazarmark sagikazarmark approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v2.29.0
Development

Successfully merging this pull request may close these issues.

device auth flow token endpoint is not discoverable
3 participants
@nabokihms @sagikazarmark @justenwalker