[v1.4] Adds Device Code Flow (#5)

The Device Code grant type is used by browserless or input-constrained
devices in the device flow to exchange a previously obtained device code
for an access token.

The Device Code grant type value is
urn:ietf:params:oauth:grant-type:device_code.

Author: eliasjpr

.github/workflows/spec.yml

@@ -4,7 +4,7 @@ on:
   pull_request:
     branches: [main]
 jobs:
-  docker:
+  build:
     timeout-minutes: 10
     runs-on: ubuntu-latest
     services:
@@ -42,7 +42,7 @@ jobs:
       - name: Run Code Format
         run: crystal tool format --check
 
-      - name: Install dependencies
+      - name: Install Dependencies
         run: shards install
 
       - name: Run Ameba Checks
@@ -54,8 +54,11 @@ jobs:
       - name: Run tests
         run: crystal spec
         env:
+          BASE_URL: http://localhost:4000
+          ACTIVATE_URL: http://localhost:4000/activate
+          DEVICE_CODE_TTL: 300
           SECRET_KEY: secret_key
           REFRESH_TTL: 60
-          CODE_TTL: 5
+          CODE_TTL: 300
           ACCESS_TOKEN_TTL: 60
           DATABASE_URL: postgres://auth_user:auth_pass@localhost:5432/authority_db?initial_pool_size=10&checkout_timeout=3

Authority.session.sql

@@ -1,16 +1,16 @@
 # Authority
 
-[![Test](https://github.com/azutoolkit/authority/actions/workflows/spec.yml/badge.svg)](https://github.com/azutoolkit/authority/actions/workflows/spec.yml) [![Codacy Badge](https://app.codacy.com/project/badge/Grade/c19b4551de9f43c2b79664af5908f033)](https://www.codacy.com/gh/azutoolkit/authority/dashboard?utm_source=github.com&utm_medium=referral&utm_content=azutoolkit/authority&utm_campaign=Badge_Grade)
+[![Test](https://github.com/azutoolkit/authority/actions/workflows/spec.yml/badge.svg)](https://github.com/azutoolkit/authority/actions/workflows/spec.yml) [![Codacy Badge](https://app.codacy.com/project/badge/Grade/c19b4551de9f43c2b79664af5908f033)](https://www.codacy.com/gh/azutoolkit/authority/dashboard?utm_source=github.com&utm_medium=referral&utm_content=azutoolkit/authority&utm_campaign=Badge_Grade) ![GitHub release (latest by date)](https://img.shields.io/github/v/release/azutoolkit/authority?label=shard)
 
 ![logo](https://user-images.githubusercontent.com/1685772/141647649-241cff93-a5dc-4e6a-9695-ff4b9e6a51d4.png)
 
 <https://user-images.githubusercontent.com/1685772/140772737-179dd2e4-0eaa-4915-a942-5e0fe48f0124.mp4>
 
 A OAuth2 Server, sometimes also referred to as an OAuth 2.0 Server, OAuth Server, Authorization Server, is a software system that implements network protocol flows that allow a client software application to act on behalf of a user.
 
-Authority is a OpenID OAuth 2.0 Server and OpenID Connect Provider optimized for low-latency, high throughput, and low resource consumption. Authority has a built in identity provider user login.
+Authority is a OpenID OAuth 2.0 Server and OpenID Connect Provider written in Crystal optimized for low-latency, high throughput, and low resource consumption. Authority has a built in identity provider user login.
 
-OpenID Connect and OAuth Provider written in Crystal - Security-first, open source API security for your infrastructure. SDKs to come.
+Authority is an open source API security for your infrastructure.
 
 ## Architecture
 
@@ -34,11 +34,19 @@ of Authority is to make OAuth 2.0 and OpenID Connect 1.0 better accessible.
 
 The Authority implements five grants for acquiring an access token:
 
-- Authorization code grant
-- Implicit grant
-- Resource owner credentials grant
-- Client credentials grant
-- Refresh token grant
+- Authorization code Grant
+- Implicit Grant
+- Resource owner credentials Grant
+- Client credentials Grant
+- Refresh token Grant
+- Device Token Grant
+
+The following RFCs are implemented:
+
+- [RFC6749 "OAuth 2.0"](https://tools.ietf.org/html/rfc6749)
+- [RFC6750 " The OAuth 2.0 Authorization Framework: Bearer Token Usage"](https://tools.ietf.org/html/rfc6750)
+- [RFC7519 "JSON Web Token (JWT)"](https://tools.ietf.org/html/rfc7519)
+- [RFC7636 "Proof Key for Code Exchange by OAuth Public Clients"](https://tools.ietf.org/html/rfc7636)
 
 ## Why Authority is Different​
 
@@ -70,12 +78,11 @@ Grant Types
 - [x] OpenID Connect
 - [x] PKCE
 - [x] JSON Web Tokens
-- [ ] Device Code grant
+- [x] Device Code grant
 - [ ] Token Introspection
 - [ ] Token Revocation
-- [ ] Opaque Token
+- [ ] Opaque Tokens
 - [ ] Client SDKs
-- [ ] Session Management
 - [ ] Account recovery & verification
 - [ ] MFA
 - [ ] Permission and Role Management
@@ -95,24 +102,36 @@ CRYSTAL_WORKERS=4
 PORT=4000
 PORT_REUSE=true
 HOST=0.0.0.0
-DATABASE_URL=postgres://auth_user:auth_pass@db:5432/authority_db
-  ?initial_pool_size=10&checkout_timeout=3
+DATABASE_URL=postgres://auth_user:auth_pass@db:5432/authority_db?initial_pool_size=10&checkout_timeout=3
 SECRET_KEY=secret_key
 REFRESH_TTL=60
 CODE_TTL=5
 ACCESS_TOKEN_TTL=60
+TEMPLATES_PATH="./public/templates"
+ERROR_TEMPLATE
+SESSION_KEY="session_id"
+BASE_URL=http://localhost:4000
+ACTIVATE_URL=http://localhost:4000/activate
+DEVICE_CODE_TTL=300
+SSL_CERT=
+SSL_KEY=
+SSL_CA=
+SSL_MODE=
 ```
 
 ## User Interface Customization
 
-The Managed UI implements screens such as login, registration, account recovery,
+The Authority UI implements screens such as login, registration, account recovery,
 account setting, and account verification. This allows for fast adoption of Authority.
 
 Contrary to other vendors, Authority allows you to implement your own UI
 by offering simple html templates. You can change the look of Authority `signin`
 and `authorize` html pages.
 
-Just edit the `./public/templates/signin.html` and `./public/templates/authorize.html`
+Just edit the `./public/templates/`
+
+> **Note** ensure to maintain the same template variable names defined in
+> brackets `{{var_name}}`
 
 ## Installation
 
@@ -124,6 +143,16 @@ Spin up your server
 docker-compose up server
 ```
 
+## Which OAuth 2.0 grant should I use?
+
+A grant is a method of acquiring an access token. Deciding which grants to
+implement depends on the type of client the end user will be using, and the
+experience you want for your users.
+
+<p align="center">
+<img src="https://user-images.githubusercontent.com/1685772/142732731-bfaa94ab-5072-4a70-b91c-72c8b1b10f28.png">
+</p>
+
 ## Contributing
 
 1. Fork it (<https://github.com/azutoolkit/authority/fork>)

Dockerfile.spec

@@ -0,0 +1,25 @@
+class CreateDeviceCode
+  include Clear::Migration
+
+  def change(direction)
+    direction.up do
+      create_enum("verification", %w(allowed denied pending))
+
+      create_table :device_codes, id: :uuid do |t|
+        t.column :client_id, "varchar(80)", null: false, index: true, unique: false
+        t.column :client_name, "varchar(80)", null: false
+        t.column :user_code, "varchar(10)", null: false, index: true, unique: false
+        t.column :verification, :verification, null: false
+        t.column :verification_uri, "varchar(1000)", null: false
+        t.column :expires_at, "TIMESTAMPTZ", index: true, default: "CURRENT_TIMESTAMP"
+
+        t.timestamps
+      end
+    end
+
+    direction.down do
+      execute "DROP TABLE IF EXISTS device_codes;"
+      execute "DROP TYPE IF EXISTS verification;"
+    end
+  end
+end

README.md

@@ -10,17 +10,6 @@ services:
     ports:
       - 5432:5432
 
-  # spec:
-  #   build:
-  #     context: .
-  #     dockerfile: Dockerfile.spec
-  #   container_name: authority-spec
-  #   working_dir: /opt/app
-  #   environment:
-  #     - DATABASE_URL=postgres://auth_user:auth_pass@db:5432/authority_db
-  #   depends_on:
-  #     - server
-
   server:
     build:
       context: .

db/migrations/1637251606_create_device_code.cr

@@ -9,4 +9,10 @@ DATABASE_URL=postgres://auth_user:auth_pass@db:5432/authority_db?initial_pool_si
 SECRET_KEY=secret_key
 REFRESH_TTL=60
 CODE_TTL=5
-ACCESS_TOKEN_TTL=60
+ACCESS_TOKEN_TTL=60
+TEMPLATES_PATH="./public/templates"
+ERROR_TEMPLATE
+SESSION_KEY="session_id"
+BASE_URL=http://localhost:4000
+ACTIVATE_URL=http://localhost:4000/activate
+DEVICE_CODE_TTL=300

docker-compose.yml

@@ -20,112 +20,12 @@ body {
   font-size: 62px;
 }
 
-.form-control {
-  height: 41px;
-  background: #f2f2f2;
-  box-shadow: none !important;
-  border: none;
-}
-
-.form-control:focus {
-  border-color: #2389cd;
-}
-
-.login-form {
-  width: 400px;
-  margin: 30px auto;
-  padding: 30px 0;
-}
-
-.login-form form {
-  color: #999;
-  border-radius: 3px;
-  margin-bottom: 15px;
-  background: #fff;
-  box-shadow: 0px 2px 2px rgba(0, 0, 0, 0.3);
-  padding: 30px;
-}
-
-.login-form h4 {
-  text-align: center;
-  font-size: 22px;
-  margin-bottom: 20px;
-}
-
-.login-form .form-group {
-  margin-bottom: 20px;
-}
-
-.login-form .form-control,
-.login-form .btn {
-  min-height: 40px;
-  border-radius: 2px;
-  transition: all 0.5s;
-}
-
-.login-form .close {
-  position: absolute;
-  top: 15px;
-  right: 15px;
-}
-
-.login-form .btn,
-.login-form .btn:active {
-  background: #2389cd !important;
-  border: none;
-  line-height: normal;
-}
-
-.login-form .btn:hover,
-.login-form .btn:focus {
-  background: #2389cd !important;
-}
-
-.login-form .checkbox-inline {
-  float: left;
-}
-
-.login-form input[type="checkbox"] {
-  position: relative;
-  top: 2px;
-}
-
-.login-form .forgot-link {
-  float: right;
-}
-
-.login-form .small {
-  font-size: 13px;
-}
-
-.login-form a {
-  color: #2389cd;
-}
-
-.form-control {
-  height: 41px;
-  background: #f2f2f2;
-  box-shadow: none !important;
-  border: none;
-}
-
-.form-control:focus {
-  background: #e2e2e2;
-}
-
-.form-control,
-.btn {
-  border-radius: 3px;
-}
-
 .signup-form {
   width: 500px;
   margin: 30px auto;
   padding: 30px 0;
 }
 
-
-
 .signup-form form {
   color: #999;
   border-radius: 3px;
@@ -161,20 +61,6 @@ body {
   padding-left: 10px;
 }
 
-.signup-form .btn {
-  font-size: 16px;
-  font-weight: bold;
-  background: #3598dc;
-  border: none;
-  min-width: 140px;
-}
-
-.signup-form .btn:hover,
-.signup-form .btn:focus {
-  background: #2389cd !important;
-  outline: none;
-}
-
 .signup-form a:hover {
   text-decoration: none;
 }

local.env

@@ -2,7 +2,7 @@
 {% set title = "Authorize" %}
 
 {% block body %}
-<main class="login-form">
+<main class="signup-form">
   {% include "errors.html" %}
   <form method="post" action="{{authorize_endpoint}}">
     <input type="hidden" name="response_type" value="{{response_type}}" />

oauth-grants.png

@@ -0,0 +1,12 @@
+{% extends "layout.html" %}
+{% set title = "Device Activation" %}
+
+{% block body %}
+<main class="signup-form">
+
+  {% include "errors.html" %}
+  <form>
+    <h2 class="text-center display-3 text-success fw-light">Congratulations, you're all set!</h2>
+  </form>
+</main>
+{% endblock %}