Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

discovery metadata for Device-Flow-Proxy-Server #4

Open
jbasney opened this issue Aug 28, 2020 · 0 comments
Open

discovery metadata for Device-Flow-Proxy-Server #4

jbasney opened this issue Aug 28, 2020 · 0 comments

Comments

@jbasney
Copy link

jbasney commented Aug 28, 2020

Hi,

Thanks very much for sharing this code. We found it from the links at https://oauth.net/2/device-flow/. It's very helpful for us on the https://www.cilogon.org/ project.

I wonder if you can provide some advice/guidance for us related to discovery metadata. My apologies if this isn't the right place to ask.

The situation arises if (for example) we have an issuer of https://example.com with metadata at https://example.com/.well-known/oauth-authorization-server containing:

 {
  "issuer": "https://example.com",
  "authorization_endpoint": "https://example.com/oauth2/authorize",
  "token_endpoint": "https://example.com/oauth2/token",
  "token_endpoint_auth_methods_supported": ["client_secret_basic"],
  "response_types_supported": ["code"],
  "grant_types_supported": ["authorization_code"]
 }

Then we configure the Device-Flow-Proxy-Server with:

BASE_URL=https://oauth-device-flow-demo.herokuapp.com
AUTHORIZATION_ENDPOINT=https://example.com/oauth2/authorize
TOKEN_ENDPOINT=https://example.com/oauth2/token

So we modify our metadata according to https://tools.ietf.org/html/rfc8628#section-4 as follows:

 {
  "issuer": "https://example.com",
  "authorization_endpoint": "https://example.com/oauth2/authorize",
  "device_authorization_endpoint": "https://oauth-device-flow-demo.herokuapp.com/device/code",
  "token_endpoint": "https://example.com/oauth2/token",
  "token_endpoint_auth_methods_supported": ["client_secret_basic"],
  "response_types_supported": ["code"],
  "grant_types_supported": ["authorization_code", "urn:ietf:params:oauth:grant-type:device_code"]
 }

It almost works, except after the client gets the device_code from https://oauth-device-flow-demo.herokuapp.com/device/code it sends it to https://example.com/oauth2/token instead of https://oauth-device-flow-demo.herokuapp.com/device/token. We need something like

  "device_token_endpoint": "https://oauth-device-flow-demo.herokuapp.com/device/token"

in our metadata, but https://tools.ietf.org/html/rfc8628#section-4 doesn't give us that option. And since the Device-Flow-Proxy-Server doesn't change the issuer, https://tools.ietf.org/html/rfc8414#section-3 doesn't seem to give us the option of hosting metadata for it at a different location, unless we follow the "application-specific" method.

Am I missing something? Thanks in advance for any advice/guidance you can give.

-Jim

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants
@jbasney and others