device flow poc for sign in

hugodutka · hugodutka · commit 0490fa1981f8 · 2025-02-13T15:26:52.000Z
diff --git a/cmd/what/main.go b/cmd/what/main.go
@@ -0,0 +1,55 @@
+package main
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/github"
+)
+
+func main() {
+	clientID := os.Getenv("CODER_OAUTH2_GITHUB_CLIENT_ID")
+	if clientID == "" {
+		panic("CODER_OAUTH2_GITHUB_CLIENT_ID environment variable is not set")
+	}
+
+	config := oauth2.Config{
+		ClientID: clientID,
+		Endpoint: github.Endpoint,
+		Scopes:   []string{"repo"},
+	}
+
+	ctx := context.Background()
+
+	// Request device code
+	deviceCode, err := config.DeviceAuth(ctx)
+	if err != nil {
+		panic(err)
+	}
+	// Marshal and print deviceCode as JSON
+	jsonData, err := json.Marshal(deviceCode)
+	if err != nil {
+		panic(err)
+	}
+	fmt.Printf("Device code as JSON:\n%s\n\n", string(jsonData))
+
+	// Convert to base64 and print
+	base64Data := base64.StdEncoding.EncodeToString(jsonData)
+	fmt.Printf("Device code as base64:\n%s\n\n", base64Data)
+
+	// Display instructions to user
+	fmt.Printf("Please visit: %s\n", deviceCode.VerificationURI)
+	fmt.Printf("And enter code: %s\n", deviceCode.UserCode)
+
+	// // Wait for user to complete authentication and get token
+	// token, err := config.DeviceAccessToken(ctx, deviceCode)
+	// if err != nil {
+	// 	panic(err)
+	// }
+
+	// fmt.Printf("Access token: %s\n", token.AccessToken)
+}
diff --git a/coderd/httpmw/oauth2.go b/coderd/httpmw/oauth2.go
@@ -2,6 +2,8 @@ package httpmw
 
 import (
 	"context"
+	"encoding/base64"
+	"encoding/json"
 	"fmt"
 	"net/http"
 	"net/url"
@@ -15,7 +17,6 @@ import (
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/promoauth"
 	"github.com/coder/coder/v2/codersdk"
-	"github.com/coder/coder/v2/cryptorand"
 )
 
 type oauth2StateKey struct{}
@@ -84,7 +85,8 @@ func ExtractOAuth2(config promoauth.OAuth2Config, client *http.Client, authURLOp
 				return
 			}
 
-			code := r.URL.Query().Get("code")
+			// code := r.URL.Query().Get("code")
+			deviceCode := r.URL.Query().Get("device_code")
 			state := r.URL.Query().Get("state")
 			redirect := r.URL.Query().Get("redirect")
 			if redirect != "" {
@@ -96,76 +98,105 @@ func ExtractOAuth2(config promoauth.OAuth2Config, client *http.Client, authURLOp
 				redirect = uriFromURL(redirect)
 			}
 
-			if code == "" {
-				// If the code isn't provided, we'll redirect!
-				var state string
-				// If this url param is provided, then a user is trying to merge
-				// their account with an OIDC account. Their password would have
-				// been required to get to this point, so we do not need to verify
-				// their password again.
-				oidcMergeState := r.URL.Query().Get("oidc_merge_state")
-				if oidcMergeState != "" {
-					state = oidcMergeState
-				} else {
-					var err error
-					state, err = cryptorand.String(32)
-					if err != nil {
-						httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
-							Message: "Internal error generating state string.",
-							Detail:  err.Error(),
-						})
-						return
-					}
+			var da *oauth2.DeviceAuthResponse
+			if deviceCode != "" {
+				// Decode base64-encoded device code
+				decodedBytes, err := base64.StdEncoding.DecodeString(deviceCode)
+				if err != nil {
+					httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+						Message: "Invalid device code format",
+						Detail:  err.Error(),
+					})
+					return
 				}
 
-				http.SetCookie(rw, &http.Cookie{
-					Name:     codersdk.OAuth2StateCookie,
-					Value:    state,
-					Path:     "/",
-					HttpOnly: true,
-					SameSite: http.SameSiteLaxMode,
-				})
-				// Redirect must always be specified, otherwise
-				// an old redirect could apply!
-				http.SetCookie(rw, &http.Cookie{
-					Name:     codersdk.OAuth2RedirectCookie,
-					Value:    redirect,
-					Path:     "/",
-					HttpOnly: true,
-					SameSite: http.SameSiteLaxMode,
-				})
-
-				http.Redirect(rw, r, config.AuthCodeURL(state, opts...), http.StatusTemporaryRedirect)
-				return
-			}
-
-			if state == "" {
+				// Unmarshal JSON into DeviceAuthResponse
+				da = &oauth2.DeviceAuthResponse{}
+				if err := json.Unmarshal(decodedBytes, da); err != nil {
+					httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+						Message: "Invalid device code data",
+						Detail:  err.Error(),
+					})
+					return
+				}
+			} else {
 				httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
-					Message: "State must be provided.",
+					Message: "Invalid device code data",
+					Detail:  "Device code is required for device flow.",
 				})
 				return
 			}
 
-			stateCookie, err := r.Cookie(codersdk.OAuth2StateCookie)
-			if err != nil {
-				httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
-					Message: fmt.Sprintf("Cookie %q must be provided.", codersdk.OAuth2StateCookie),
-				})
-				return
-			}
-			if stateCookie.Value != state {
-				httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
-					Message: "State mismatched.",
-				})
-				return
-			}
+			// if code == "" {
+			// 	// If the code isn't provided, we'll redirect!
+			// 	var state string
+			// 	// If this url param is provided, then a user is trying to merge
+			// 	// their account with an OIDC account. Their password would have
+			// 	// been required to get to this point, so we do not need to verify
+			// 	// their password again.
+			// 	oidcMergeState := r.URL.Query().Get("oidc_merge_state")
+			// 	if oidcMergeState != "" {
+			// 		state = oidcMergeState
+			// 	} else {
+			// 		var err error
+			// 		state, err = cryptorand.String(32)
+			// 		if err != nil {
+			// 			httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			// 				Message: "Internal error generating state string.",
+			// 				Detail:  err.Error(),
+			// 			})
+			// 			return
+			// 		}
+			// 	}
+
+			http.SetCookie(rw, &http.Cookie{
+				Name:     codersdk.OAuth2StateCookie,
+				Value:    "hello",
+				Path:     "/",
+				HttpOnly: true,
+				SameSite: http.SameSiteLaxMode,
+			})
+			// 	// Redirect must always be specified, otherwise
+			// 	// an old redirect could apply!
+			// 	http.SetCookie(rw, &http.Cookie{
+			// 		Name:     codersdk.OAuth2RedirectCookie,
+			// 		Value:    redirect,
+			// 		Path:     "/",
+			// 		HttpOnly: true,
+			// 		SameSite: http.SameSiteLaxMode,
+			// 	})
+
+			// 	http.Redirect(rw, r, config.AuthCodeURL(state, opts...), http.StatusTemporaryRedirect)
+			// 	return
+			// }
+
+			// if state == "" {
+			// 	httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			// 		Message: "State must be provided.",
+			// 	})
+			// 	return
+			// }
+
+			// stateCookie, err := r.Cookie(codersdk.OAuth2StateCookie)
+			// if err != nil {
+			// 	httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
+			// 		Message: fmt.Sprintf("Cookie %q must be provided.", codersdk.OAuth2StateCookie),
+			// 	})
+			// 	return
+			// }
+			// if stateCookie.Value != state {
+			// 	httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
+			// 		Message: "State mismatched.",
+			// 	})
+			// 	return
+			// }
 
 			stateRedirect, err := r.Cookie(codersdk.OAuth2RedirectCookie)
 			if err == nil {
 				redirect = stateRedirect.Value
 			}
 
-			oauthToken, err := config.Exchange(ctx, code)
+			oauthToken, err := config.DeviceAccessToken(ctx, da)
 			if err != nil {
 				httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
 					Message: "Internal error exchanging Oauth code.",
diff --git a/coderd/httpmw/oauth2_test.go b/coderd/httpmw/oauth2_test.go
@@ -32,6 +32,12 @@ func (*testOAuth2Provider) Exchange(_ context.Context, _ string, _ ...oauth2.Aut
 	}, nil
 }
 
+func (*testOAuth2Provider) DeviceAccessToken(_ context.Context, _ *oauth2.DeviceAuthResponse, _ ...oauth2.AuthCodeOption) (*oauth2.Token, error) {
+	return &oauth2.Token{
+		AccessToken: "hello",
+	}, nil
+}
+
 func (*testOAuth2Provider) TokenSource(_ context.Context, _ *oauth2.Token) oauth2.TokenSource {
 	return nil
 }
diff --git a/coderd/oauthpki/oidcpki.go b/coderd/oauthpki/oidcpki.go
@@ -133,6 +133,10 @@ func (ja *Config) Exchange(ctx context.Context, code string, opts ...oauth2.Auth
 	return ja.cfg.Exchange(ctx, code, opts...)
 }
 
+func (*Config) DeviceAccessToken(_ context.Context, _ *oauth2.DeviceAuthResponse, _ ...oauth2.AuthCodeOption) (*oauth2.Token, error) {
+	panic("not implemented")
+}
+
 func (ja *Config) jwtToken() (string, error) {
 	now := time.Now()
 	token := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.MapClaims{
diff --git a/coderd/promoauth/oauth2.go b/coderd/promoauth/oauth2.go
@@ -14,11 +14,12 @@ import (
 type Oauth2Source string
 
 const (
-	SourceValidateToken    Oauth2Source = "ValidateToken"
-	SourceExchange         Oauth2Source = "Exchange"
-	SourceTokenSource      Oauth2Source = "TokenSource"
-	SourceAppInstallations Oauth2Source = "AppInstallations"
-	SourceAuthorizeDevice  Oauth2Source = "AuthorizeDevice"
+	SourceValidateToken     Oauth2Source = "ValidateToken"
+	SourceExchange          Oauth2Source = "Exchange"
+	SourceTokenSource       Oauth2Source = "TokenSource"
+	SourceDeviceAccessToken Oauth2Source = "DeviceAccessToken"
+	SourceAppInstallations  Oauth2Source = "AppInstallations"
+	SourceAuthorizeDevice   Oauth2Source = "AuthorizeDevice"
 
 	SourceGitAPIAuthUser        Oauth2Source = "GitAPIAuthUser"
 	SourceGitAPIListEmails      Oauth2Source = "GitAPIListEmails"
@@ -31,6 +32,7 @@ const (
 type OAuth2Config interface {
 	AuthCodeURL(state string, opts ...oauth2.AuthCodeOption) string
 	Exchange(ctx context.Context, code string, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error)
+	DeviceAccessToken(ctx context.Context, da *oauth2.DeviceAuthResponse, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error)
 	TokenSource(context.Context, *oauth2.Token) oauth2.TokenSource
 }
 
@@ -226,6 +228,10 @@ func (c *Config) Exchange(ctx context.Context, code string, opts ...oauth2.AuthC
 	return c.underlying.Exchange(c.wrapClient(ctx, SourceExchange), code, opts...)
 }
 
+func (c *Config) DeviceAccessToken(ctx context.Context, da *oauth2.DeviceAuthResponse, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error) {
+	return c.underlying.DeviceAccessToken(c.wrapClient(ctx, SourceDeviceAccessToken), da, opts...)
+}
+
 func (c *Config) TokenSource(ctx context.Context, token *oauth2.Token) oauth2.TokenSource {
 	return c.underlying.TokenSource(c.wrapClient(ctx, SourceTokenSource), token)
 }
diff --git a/testutil/oauth2.go b/testutil/oauth2.go
@@ -35,6 +35,17 @@ func (c *OAuth2Config) Exchange(_ context.Context, _ string, _ ...oauth2.AuthCod
 	return c.Token, nil
 }
 
+func (c *OAuth2Config) DeviceAccessToken(_ context.Context, _ *oauth2.DeviceAuthResponse, _ ...oauth2.AuthCodeOption) (*oauth2.Token, error) {
+	if c.Token == nil {
+		return &oauth2.Token{
+			AccessToken:  "access_token",
+			RefreshToken: "refresh_token",
+			Expiry:       time.Now().Add(time.Hour),
+		}, nil
+	}
+	return c.Token, nil
+}
+
 func (c *OAuth2Config) TokenSource(_ context.Context, _ *oauth2.Token) oauth2.TokenSource {
 	if c.TokenSourceFunc == nil {
 		return OAuth2TokenSource(func() (*oauth2.Token, error) {

Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,12 @@ func (*testOAuth2Provider) Exchange(_ context.Context, _ string, _ ...oauth2.Aut`
`32`	`32`	`}, nil`
`33`	`33`	`}`
`34`	`34`
	`35`	`+func (testOAuth2Provider) DeviceAccessToken(_ context.Context, _ oauth2.DeviceAuthResponse, _ ...oauth2.AuthCodeOption) (*oauth2.Token, error) {`
	`36`	`+ return &oauth2.Token{`
	`37`	`+ AccessToken: "hello",`
	`38`	`+ }, nil`
	`39`	`+}`
	`40`	`+`
`35`	`41`	`func (testOAuth2Provider) TokenSource(_ context.Context, _ oauth2.Token) oauth2.TokenSource {`
`36`	`42`	`return nil`
`37`	`43`	`}`