Skip to content

Commit

Permalink
fix: do not create openid session on device auth request
Browse files Browse the repository at this point in the history
  • Loading branch information
nsklikas committed Dec 6, 2024
1 parent ca04a4a commit a5ad00e
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 36 deletions.
12 changes: 3 additions & 9 deletions handler/openid/flow_device_auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@ type OpenIDConnectDeviceHandler struct {
}

func (c *OpenIDConnectDeviceHandler) HandleDeviceEndpointRequest(ctx context.Context, dar fosite.DeviceRequester, resp fosite.DeviceResponder) error {
// We don't want to create the openid session on this call, because we don't know if the user
// will actually complete the flow and give consent. The implementer MUST call the CreateOpenIDConnectSession
// methods when the user logs in to instantiate the session.
if !(dar.GetRequestedScopes().Has("openid")) {
return nil
}
Expand All @@ -37,14 +40,5 @@ func (c *OpenIDConnectDeviceHandler) HandleDeviceEndpointRequest(ctx context.Con
return errorsx.WithStack(fosite.ErrMisconfiguration.WithDebug("The device code has not been issued yet, indicating a broken code configuration."))
}

signature, err := c.DeviceCodeStrategy.DeviceCodeSignature(ctx, resp.GetDeviceCode())
if err != nil {
return err
}

if err := c.OpenIDConnectRequestStorage.CreateOpenIDConnectSession(ctx, signature, dar.Sanitize(oidcParameters)); err != nil {
return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error()))
}

return nil
}
27 changes: 0 additions & 27 deletions handler/openid/flow_device_auth_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ import (
"time"

"github.com/ory/fosite/internal"
"github.com/pkg/errors"
gomock "go.uber.org/mock/gomock"

"github.com/stretchr/testify/require"
Expand Down Expand Up @@ -101,26 +100,6 @@ func TestDeviceAuth_HandleDeviceEndpointRequest(t *testing.T) {
authresp: &fosite.DeviceResponse{},
expectErr: fosite.ErrMisconfiguration,
},
{
description: "should fail because cannot create session",
authreq: &fosite.DeviceRequest{
Request: fosite.Request{
RequestedScope: fosite.Arguments{"openid", "email"},
Client: client,
Session: session,
},
},
authresp: &fosite.DeviceResponse{
DeviceCode: "device_code",
},
setup: func(authreq *fosite.DeviceRequest) {
store.
EXPECT().
CreateOpenIDConnectSession(gomock.Any(), gomock.Any(), gomock.Eq(authreq.Sanitize(oidcParameters))).
Return(errors.New(""))
},
expectErr: fosite.ErrServerError,
},
{
description: "should pass",
authreq: &fosite.DeviceRequest{
Expand All @@ -133,12 +112,6 @@ func TestDeviceAuth_HandleDeviceEndpointRequest(t *testing.T) {
authresp: &fosite.DeviceResponse{
DeviceCode: "device_code",
},
setup: func(authreq *fosite.DeviceRequest) {
store.
EXPECT().
CreateOpenIDConnectSession(gomock.Any(), gomock.Any(), gomock.Eq(authreq.Sanitize(oidcParameters))).
Return(nil)
},
},
}

Expand Down

0 comments on commit a5ad00e

Please sign in to comment.