coder
diff --git a/‎cli/server.go
Lines changed: 9 additions & 2 deletions b/‎cli/server.go
Lines changed: 9 additions & 2 deletions
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 20 additions & 0 deletions b/‎coderd/apidoc/docs.go
Lines changed: 20 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 16 additions & 0 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 16 additions & 0 deletions
diff --git a/‎coderd/coderd.go
Lines changed: 2 additions & 0 deletions b/‎coderd/coderd.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/httpmw/oauth2.go
Lines changed: 10 additions & 3 deletions b/‎coderd/httpmw/oauth2.go
Lines changed: 10 additions & 3 deletions
diff --git a/‎coderd/promoauth/oauth2.go
Lines changed: 0 additions & 5 deletions b/‎coderd/promoauth/oauth2.go
Lines changed: 0 additions & 5 deletions
diff --git a/‎coderd/userauth.go
Lines changed: 112 additions & 0 deletions b/‎coderd/userauth.go
Lines changed: 112 additions & 0 deletions
diff --git a/‎docs/reference/api/users.md
Lines changed: 32 additions & 0 deletions b/‎docs/reference/api/users.md
Lines changed: 32 additions & 0 deletions
diff --git a/‎site/src/api/api.ts
Lines changed: 15 additions & 0 deletions b/‎site/src/api/api.ts
Lines changed: 15 additions & 0 deletions
diff --git a/‎site/src/api/queries/oauth2.ts
Lines changed: 14 additions & 0 deletions b/‎site/src/api/queries/oauth2.ts
Lines changed: 14 additions & 0 deletions
@@ -677,7 +677,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 				}
 			}
 
-			if vals.OAuth2.Github.ClientSecret != "" {
+			if vals.OAuth2.Github.ClientID != "" {
 				options.GithubOAuth2Config, err = configureGithubOAuth2(
 					oauthInstrument,
 					vals.AccessURL.Value(),
@@ -1899,7 +1899,14 @@ func configureGithubOAuth2(instrument *promoauth.Factory, accessURL *url.URL, cl
 	}
 
 	return &coderd.GithubOAuth2Config{
-		OAuth2Config:       instrumentedOauth,
+		OAuth2Config: instrumentedOauth,
+		DeviceAuth: &externalauth.DeviceAuth{
+			Config:   instrumentedOauth,
+			ClientID: clientID,
+			TokenURL: endpoint.TokenURL,
+			Scopes:   []string{"read:user", "read:org", "user:email"},
+			CodeURL:  endpoint.DeviceAuthURL,
+		},
 		AllowSignups:       allowSignups,
 		AllowEveryone:      allowEveryone,
 		AllowOrganizations: allowOrgs,
 
@@ -1087,6 +1087,8 @@ func New(options *Options) *API {
 				r.Post("/validate-password", api.validateUserPassword)
 				r.Post("/otp/change-password", api.postChangePasswordWithOneTimePasscode)
 				r.Route("/oauth2", func(r chi.Router) {
+					r.Get("/github/device", api.userOAuth2GithubDevice)
+					r.Post("/github/device", api.postGithubOAuth2Device)
 					r.Route("/github", func(r chi.Router) {
 						r.Use(
 							httpmw.ExtractOAuth2(options.GithubOAuth2Config, options.HTTPClient, nil),
 
@@ -167,9 +167,16 @@ func ExtractOAuth2(config promoauth.OAuth2Config, client *http.Client, authURLOp
 
 			oauthToken, err := config.Exchange(ctx, code)
 			if err != nil {
-				httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
-					Message: "Internal error exchanging Oauth code.",
-					Detail:  err.Error(),
+				errorCode := http.StatusInternalServerError
+				detail := err.Error()
+				if detail == "authorization_pending" {
+					// In the device flow, the token may not be immediately
+					// available. This is expected, and the client will retry.
+					errorCode = http.StatusBadRequest
+				}
+				httpapi.Write(ctx, rw, errorCode, codersdk.Response{
+					Message: "Failed exchanging Oauth code.",
+					Detail:  detail,
 				})
 				return
 			}
 
@@ -32,7 +32,6 @@ const (
 type OAuth2Config interface {
 	AuthCodeURL(state string, opts ...oauth2.AuthCodeOption) string
 	Exchange(ctx context.Context, code string, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error)
-	DeviceAccessToken(ctx context.Context, da *oauth2.DeviceAuthResponse, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error)
 	TokenSource(context.Context, *oauth2.Token) oauth2.TokenSource
 }
 
@@ -228,10 +227,6 @@ func (c *Config) Exchange(ctx context.Context, code string, opts ...oauth2.AuthC
 	return c.underlying.Exchange(c.wrapClient(ctx, SourceExchange), code, opts...)
 }
 
-func (c *Config) DeviceAccessToken(ctx context.Context, da *oauth2.DeviceAuthResponse, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error) {
-	return c.underlying.DeviceAccessToken(c.wrapClient(ctx, SourceDeviceAccessToken), da, opts...)
-}
-
 func (c *Config) TokenSource(ctx context.Context, token *oauth2.Token) oauth2.TokenSource {
 	return c.underlying.TokenSource(c.wrapClient(ctx, SourceTokenSource), token)
 }
 
@@ -752,6 +752,22 @@ type GithubOAuth2Config struct {
 	AllowEveryone      bool
 	AllowOrganizations []string
 	AllowTeams         []GithubOAuth2Team
+	// DeviceAuth is set if the provider uses the device flow.
+	DeviceAuth *externalauth.DeviceAuth
+}
+
+func (c *GithubOAuth2Config) Exchange(ctx context.Context, code string, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error) {
+	if c.DeviceAuth == nil {
+		return c.OAuth2Config.Exchange(ctx, code, opts...)
+	}
+	return c.DeviceAuth.ExchangeDeviceCode(ctx, code)
+}
+
+func (c *GithubOAuth2Config) AuthCodeURL(state string, opts ...oauth2.AuthCodeOption) string {
+	if c.DeviceAuth == nil {
+		return c.OAuth2Config.AuthCodeURL(state, opts...)
+	}
+	return "/device-login?state=" + state
 }
 
 // @Summary Get authentication methods
@@ -786,6 +802,102 @@ func (api *API) userAuthMethods(rw http.ResponseWriter, r *http.Request) {
 	})
 }
 
+// @Summary Get Github device auth.
+// @ID get-github-device-auth
+// @Produce json
+// @Tags Users
+// @Success 200 {object} codersdk.ExternalAuthDevice
+// @Router /users/oauth2/github/device [get]
+func (api *API) userOAuth2GithubDevice(rw http.ResponseWriter, r *http.Request) {
+	var (
+		ctx               = r.Context()
+		auditor           = api.Auditor.Load()
+		aReq, commitAudit = audit.InitRequest[database.APIKey](rw, &audit.RequestParams{
+			Audit:   *auditor,
+			Log:     api.Logger,
+			Request: r,
+			Action:  database.AuditActionLogin,
+		})
+	)
+	aReq.Old = database.APIKey{}
+	defer commitAudit()
+
+	if api.GithubOAuth2Config == nil {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: "Github OAuth2 is not enabled.",
+		})
+		return
+	}
+
+	if api.GithubOAuth2Config.DeviceAuth == nil {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: "Device flow is not enabled for Github OAuth2.",
+		})
+		return
+	}
+
+	deviceAuth, err := api.GithubOAuth2Config.DeviceAuth.AuthorizeDevice(ctx)
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Failed to authorize device.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
+	httpapi.Write(ctx, rw, http.StatusOK, deviceAuth)
+}
+
+// @Summary Excha Github device auth.
+// @ID get-github-device-auth
+// @Produce json
+// @Tags Users
+// @Success 200 {object} codersdk.ExternalAuthDevice
+// @Router /users/oauth2/github/device [get]
+func (api *API) postGithubOAuth2Device(rw http.ResponseWriter, r *http.Request) {
+	var (
+		ctx               = r.Context()
+		auditor           = api.Auditor.Load()
+		aReq, commitAudit = audit.InitRequest[database.APIKey](rw, &audit.RequestParams{
+			Audit:   *auditor,
+			Log:     api.Logger,
+			Request: r,
+			Action:  database.AuditActionLogin,
+		})
+	)
+	aReq.Old = database.APIKey{}
+	defer commitAudit()
+
+	if api.GithubOAuth2Config == nil {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: "Github OAuth2 is not enabled.",
+		})
+		return
+	}
+	if api.GithubOAuth2Config.DeviceAuth == nil {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: "Device flow is not enabled for Github OAuth2.",
+		})
+		return
+	}
+
+	var req codersdk.ExternalAuthDeviceExchange
+	if !httpapi.Read(ctx, rw, r, &req) {
+		return
+	}
+
+	token, err := api.GithubOAuth2Config.DeviceAuth.ExchangeDeviceCode(ctx, req.DeviceCode)
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Failed to exchange device code.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
+	httpapi.Write(ctx, rw, http.StatusOK, token)
+}
+
 // @Summary OAuth 2.0 GitHub Callback
 // @ID oauth-20-github-callback
 // @Security CoderSessionToken
 
@@ -1585,6 +1585,21 @@ class ApiMethods {
 		return resp.data;
 	};
 
+	getOAuth2GitHubCallback = async (code: string, state: string): Promise<string> => {
+		const resp =await this.axios.get(`/api/v2/users/oauth2/github/callback?code=${code}&state=${state}`);
+		const location = resp.headers.location;
+		if (typeof location !== "string") {
+			console.warn("OAuth2 GitHub callback location is not a string", location);
+			return "/";
+		}
+		return location;
+	};
+
+	getOAuth2GitHubDevice = async (): Promise<TypesGen.ExternalAuthDevice> => {
+		const resp = await this.axios.get("/api/v2/users/oauth2/github/device");
+		return resp.data;
+	};
+
 	getOAuth2ProviderApps = async (
 		filter?: TypesGen.OAuth2ProviderAppFilter,
 	): Promise<TypesGen.OAuth2ProviderApp[]> => {
 
@@ -7,6 +7,20 @@ const userAppsKey = (userId: string) => appsKey.concat(userId);
 const appKey = (appId: string) => appsKey.concat(appId);
 const appSecretsKey = (appId: string) => appKey(appId).concat("secrets");
 
+export const getGitHubDevice = () => {
+	return {
+		queryKey: ["oauth2-provider", "github", "device"],
+		queryFn: () => API.getOAuth2GitHubDevice(),
+	};
+};
+
+export const getGitHubCallback = (code: string, state: string) => {
+	return {
+		queryKey: ["oauth2-provider", "github", "callback", code, state],
+		queryFn: () => API.getOAuth2GitHubCallback(code, state),
+	};
+};
+
 export const getApps = (userId?: string) => {
 	return {
 		queryKey: userId ? appsKey.concat(userId) : appsKey,
Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,6 @@ const (`
`32`	`32`	`type OAuth2Config interface {`
`33`	`33`	`AuthCodeURL(state string, opts ...oauth2.AuthCodeOption) string`
`34`	`34`	`Exchange(ctx context.Context, code string, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error)`
`35`		`- DeviceAccessToken(ctx context.Context, da oauth2.DeviceAuthResponse, opts ...oauth2.AuthCodeOption) (oauth2.Token, error)`
`36`	`35`	`TokenSource(context.Context, *oauth2.Token) oauth2.TokenSource`
`37`	`36`	`}`
`38`	`37`
`@@ -228,10 +227,6 @@ func (c *Config) Exchange(ctx context.Context, code string, opts ...oauth2.AuthC`
`228`	`227`	`return c.underlying.Exchange(c.wrapClient(ctx, SourceExchange), code, opts...)`
`229`	`228`	`}`
`230`	`229`
`231`		`-func (c Config) DeviceAccessToken(ctx context.Context, da oauth2.DeviceAuthResponse, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error) {`
`232`		`- return c.underlying.DeviceAccessToken(c.wrapClient(ctx, SourceDeviceAccessToken), da, opts...)`
`233`		`-}`
`234`		`-`
`235`	`230`	`func (c Config) TokenSource(ctx context.Context, token oauth2.Token) oauth2.TokenSource {`
`236`	`231`	`return c.underlying.TokenSource(c.wrapClient(ctx, SourceTokenSource), token)`
`237`	`232`	`}`