-
Notifications
You must be signed in to change notification settings - Fork 780
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[13.x] Device Authorization Grant RFC8628 #1750
Draft
hafezdivandari
wants to merge
54
commits into
laravel:13.x
Choose a base branch
from
hafezdivandari:13.x-device-code-grant
base: 13.x
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Draft
[13.x] Device Authorization Grant RFC8628 #1750
hafezdivandari
wants to merge
54
commits into
laravel:13.x
from
hafezdivandari:13.x-device-code-grant
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Thanks for submitting a PR! Note that draft PR's are not reviewed. If you would like a review, please mark your pull request as ready for review in the GitHub user interface. Pull requests that are abandoned in draft may be closed due to inactivity. |
This was referenced Jul 29, 2024
2 tasks
hafezdivandari
changed the title
[13.x] Add OAuth 2.0 Device Authorization Grant RFC8628
[13.x] Device Authorization Grant RFC8628
Sep 19, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds support for Device Authorization grant RFC 8628.
Additions
Grant type
urn:ietf:params:oauth:grant-type:device_code
ORM
oauth_device_codes
table.Laravel\Passport\DeviceCode
model.Passport::useDeviceCodeModel()
Routes
POST /device/code
: Request device code / user code.GET /device
: Display a form for entering the user code.GET /device/authorize
: Display authorization consent.POST /device/authorize
: Approve authorization.DELETE /device/authorize
: Deny authorization.Views
Passport::deviceAuthorizationView()
(Jestream / Inertia sample) (Jestream / Livewire sample)Passport::deviceUserCodeView()
(Jestream / Inertia sample) (Jestream / Livewire sample)Commands
--device
option onpassport:client
command.passport:client
command.passport:purge
command.Device Authorization Grant
The OAuth2 device authorization grant allows browserless or limited input devices, such as TVs and game consoles, to obtain an access token by exchanging a "device code". When using device flow, the device client will instruct the user to use a secondary device, such as a computer or a smartphone and connect to your server where they will enter the provided "user code" and either approve or deny the access request.
To get started, we need to instruct Passport how to return our "user code" and "authorization" views. Remember, Passport is a headless OAuth2 library. If you would like a frontend implementation of Laravel's OAuth features that are already completed for you, you should use an application starter kit.
All the authorization view's rendering logic may be customized using the appropriate methods available via the
Laravel\Passport\Passport
class. Typically, you should call this method from theboot
method of your application'sApp\Providers\AppServiceProvider
class. Passport will take care of defining the routes that returns these views:Creating a Device Code Grant Client
Before your application can issue tokens via the device authorization grant, you will need to create a device flow enabled client. You may do this using the
passport:client
Artisan command with the--device
option:Requesting Tokens
Requesting Device Code
Once a client has been created, developers may use their client ID to request a device code from your application. First, the consuming device should make a
POST
request to your application's/oauth/device/code
route to request a device code:This will return a JSON response containing
device_code
,user_code
,verification_uri
,interval
andexpires_in
attributes. Theexpires_in
attribute contains the number of seconds until the device code expires. Theinterval
attribute contains the number of seconds, the consuming device should wait between requests, when polling\oauth\token
route to avoid rate limit errors.Note
Remember, the
/oauth/device/code
route is already defined by Passport. You do not need to manually define this route.Displaying Verification URI and User Code
Once a device code request has been obtained, the consuming device should instruct the user to use another device and visit the provided
verification_uri
and enter theuser_code
in order to review the authorization request.Polling Token Request
Since the user will be using a separate device to grant (or deny) access, the consuming device should poll your application's
/oauth/token
route to determine when the user has responded to the request. The consuming device should use the minimum pollinginterval
provided in the JSON response when requesting device code to avoid rate limit errors:If the user has approved the authorization request, this will return a JSON response containing
access_token
,refresh_token
, andexpires_in
attributes. Theexpires_in
attribute contains the number of seconds until the access token expires.