feat: device authorization RFC 8628

[muhlemmer]

This adds support for RFC 8628, device authorization grant. The flow is build to work on top of the current login (Go UI):

1. Client device initiates a request:
   a. It receives a User Code and URL that are printed to the user. (Also a complete link is sent)
   b. The device keeps polling the token endpoint until the device authorization grant is completed (Allowed, Denied or Exipired)
2. User navigates their browser to the provided URL and enters the User Code.
3. The user is then forwarded into the Login UI.
4. When login is completed, the user is redirected to a confirmation page and given the choice to Allow or Deny the device authorization.
5. After the user allows the device, the device will receive a token on the next poll.

Definition of Ready

• I am happy with the code
• Short description of the feature/issue is added in the pr description
• PR is linked to the corresponding user story
• Acceptance criteria are met
• All open todos and follow ups are defined in a new ticket and justified
• Deviations from the acceptance criteria and design are agreed with the PO and documented.
• No debug or dead code
• Critical parts are tested automatically
• Where possible E2E tests are implemented
• Documentation/examples are up-to-date
• All non-functional requirements are met
• Functionality of the acceptance criteria is checked manually on the dev system.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
docs	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Apr 19, 2023 8:32am

[codecov]

Codecov Report

Merging #5646 (fd6645a) into main (991a563) will increase coverage by 0.00%.
The diff coverage is 58.41%.

@@           Coverage Diff            @@
##             main    #5646    +/-   ##
========================================
  Coverage   48.42%   48.42%            
========================================
  Files         693      699     +6     
  Lines       72237    72734   +497     
========================================
+ Hits        34981    35222   +241     
- Misses      35620    35857   +237     
- Partials     1636     1655    +19     

Impacted Files	Coverage Δ
internal/api/grpc/admin/export.go	0.00% <0.00%> (ø)
internal/api/grpc/admin/server.go	0.00% <0.00%> (ø)
internal/api/grpc/management/idp_converter.go	9.39% <0.00%> (-0.06%)	⬇️
...i/grpc/management/project_application_converter.go	0.00% <0.00%> (ø)
internal/api/grpc/management/server.go	0.00% <0.00%> (ø)
internal/api/grpc/server/gateway.go	3.84% <0.00%> (-5.53%)	⬇️
.../api/grpc/server/middleware/service_interceptor.go	0.00% <0.00%> (ø)
internal/api/grpc/server/server.go	0.00% <0.00%> (ø)
internal/api/grpc/system/server.go	0.00% <0.00%> (ø)
internal/command/project_application_saml_model.go	61.79% <0.00%> (+0.34%)	⬆️
... and 31 more

... and 4 files with indirect coverage changes

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[muhlemmer]

I'm mostly done, this still needs to be clarified (already posted in chat):

I rechecked the acceptance criteria and I should add the Device Authorization Grant also to the App / Client config. I've added OIDC_GRANT_TYPE_DEVICE_CODE to app.proto, regenerated and implemented the various type converters.

The question: should I check and enforce if the grant type is configured for the client and reject the request if it is not?

I'm asking because when I text/reference search for the other grant types, I don't see any enforcements on them either. Just oidc compliance checks.

I will also create a follow-up issue for console changes.

[muhlemmer]

Enforcement of the grant type is now implemented:

zitadel/internal/api/oidc/device_auth.go

Lines 83 to 92 in 7aa22b9

	// TODO(muhlemmer): Remove the following code block with oidc v3
	// https://github.com/zitadel/oidc/issues/370
	client, err := o.GetClientByClientID(ctx, clientID)
	if err != nil {
	return err
	}
	if !op.ValidateGrantType(client, oidc.GrantTypeDeviceCode) {
	return errors.ThrowPermissionDeniedf(nil, "OIDC-et1Ae", "grant type %q not allowed for client", oidc.GrantTypeDeviceCode)
	}

[adlerhurst]

reviewed code

[github-actions]

🎉 This PR is included in version 2.24.0-ignore-me2.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀