Allow Device Grant to be completed out of band

[robotdan]

Allow Device Grant to be completed out of band

Description

There may be use cases where you need to bail out of our oauth login flow but want to complete a device grant flow later.

Solution

New APIs

• POST /oauth2/device/complete - complete a device grant
  • Authorize: API key (optionally add a JWT to omit the post body)
  • userId=userId
• POST /oauth2/device/introspect - Validate a user_code
  • parameters: user_code
  • result: ok, if an IdP link is present, return enough data to display to a user or complete a link manually

Workflow

Workflow A

1. Start a device grant with an IdP link
2. Enter code on a FusionAuth page and bail sometime before completing login which means no auth code was generated.
3. Complete device code grant with a new API which will complete the IdP link associated with a user_code

Workflow B

1. Start a device grant with an IdP link
2. Enter code on a FusionAuth page and bail sometime before completing login which means no auth code was generated.
3. Complete the IdP link using an API, this links the IdP to the user
4. Complete device code grant, the link is already completed from the prior step, it should not error, and complete normally.

Workflow C

1. Start a device grant with an IdP link
2. Collect the code on your own page, not using a themed FusionAuth page
3. Validate the user_code with the existing API /oauth2/device/validate, or call a new API /oauth2/device/introspect to validate and get information about the user_code such as if there is a device link associated with it, the type, id, name, and user display name from the pending link..
4. Begin an Auth code grant with the collected user_code
5. Complete Auth code grant, link is completed.

Related

• Introspect endpoint does not support client authentication according to the spec #1100
• Add support for tokens obtained from the client credentials grant on the introspection endpoint #1434

Documentation

• new /oauth2/device/user-code
• new /oauth2/device/approve
• updates to /oauth2/introspect
• deviceInfo.device.type is no longer an enum
• new /api/identity-provider/link/pending

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

[robotdan]

Internal:

• https://github.com/FusionAuth/fusionauth-app/pull/256
• https://github.com/FusionAuth/fusionauth-app/commit/07f7b261447a839d5ad17c2af0909c752dfdc586

Doc

• add device-user-code fusionauth-site#2263
• New API for pending IdP link fusionauth-site#2271