chore: code review

Author: aeneasr

.schema/config.schema.json

@@ -619,6 +619,14 @@
                 "https://my-service.com/oauth2/auth"
               ]
             },
+            "device_authorization_url": {
+              "type": "string",
+              "description": "Overwrites the OAuth2 Device Auth URL",
+              "format": "uri-reference",
+              "examples": [
+                "https://my-service.com/oauth2/device/auth"
+              ]
+            },
             "client_registration_url": {
               "description": "Sets the OpenID Connect Dynamic Client Registration Endpoint",
               "type": "string",
@@ -645,19 +653,11 @@
             },
             "userinfo_url": {
               "type": "string",
-              "description": "A URL of the userinfo endpoint to be advertised at the OpenID Connect Discovery endpoint `/.well-known/openid-configuration`. Defaults to Ory Hydra's userinfo endpoint at `/userinfo`. Set this value if you want to handle this endpoint yourself.",
+              "description": "A URL of the userinfo endpoint to be advertised at the OpenID Connect Discovery endpoint /.well-known/openid-configuration. Defaults to Ory Hydra's userinfo endpoint at /userinfo. Set this value if you want to handle this endpoint yourself.",
               "format": "uri-reference",
               "examples": [
                 "https://example.org/my-custom-userinfo-endpoint"
               ]
-            },
-            "device_authorization_url": {
-              "type": "string",
-              "description": "A URL of the device authorization endpoint to be advertised at the OpenID Connect Discovery endpoint `/.well-known/openid-configuration`. Defaults to Ory Hydra's device authorization endpoint at `/oauth2/device/auth`. Set this value if you want to handle this endpoint yourself.",
-              "format": "uri-reference",
-              "examples": [
-                "https://example.org/oauth2/device/auth"
-              ]
             }
           }
         }
@@ -816,23 +816,29 @@
             "/ui/logout"
           ]
         },
-        "device_verification": {
-          "type": "string",
-          "description": "Sets the device user code verification endpoint. Defaults to an internal fallback URL showing an error.",
-          "format": "uri-reference",
-          "examples": [
-            "https://my-logout.app/device_verification",
-            "/ui/device_verification"
-          ]
-        },
-        "device_verification_success": {
-          "type": "string",
-          "description": "Sets the post device authentication endpoint. Defaults to an internal fallback URL showing an error.",
-          "format": "uri-reference",
-          "examples": [
-            "https://my-logout.app/device_done",
-            "/ui/device_done"
-          ]
+        "device": {
+          "type": "object",
+          "description": "Configure URLs for the OAuth 2.0 Device Code Flow.",
+          "properties": {
+            "verification": {
+              "type": "string",
+              "description": "Sets the device user code verification endpoint. Defaults to an internal fallback URL showing an error.",
+              "format": "uri-reference",
+              "examples": [
+                "https://my-logout.app/device_verification",
+                "/ui/device_verification"
+              ]
+            },
+            "success": {
+              "type": "string",
+              "description": "Sets the post device authentication endpoint. Defaults to an internal fallback URL showing an error.",
+              "format": "uri-reference",
+              "examples": [
+                "https://my-logout.app/device_done",
+                "/ui/device_done"
+              ]
+            }
+          }
         },
         "error": {
           "type": "string",
@@ -980,8 +986,8 @@
           ]
         },
         "device_user_code": {
-          "description": "Configures how long device and user codes are valid.",
-          "default": "15m",
+          "description": "Configures how long device & user codes are valid.",
+          "default": "10m",
           "allOf": [
             {
               "$ref": "#/definitions/duration"
@@ -1104,23 +1110,6 @@
             }
           }
         },
-        "device_authorization": {
-          "token_polling_interval": {
-            "description": "Sets the starting token polling interval.",
-            "default": "5s",
-            "allOf": [
-              {
-                "$ref": "#/definitions/duration"
-              }
-            ]
-          },
-          "user_code_entropy": {
-            "type": "string",
-            "description": "Sets the entropy for the user codes.",
-            "default": "medium",
-            "enum": ["high", "medium", "low"]
-          }
-        },
         "grant": {
           "type": "object",
           "additionalProperties": false,
@@ -1181,6 +1170,28 @@
             }
           ]
         },
+        "device_authorization": {
+          "type": "object",
+          "additionalProperties": false,
+          "properties": {
+            "token_polling_interval": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/duration"
+                }
+              ],
+              "default": "5s",
+              "description": "configure how often a non-interactive device should poll the device token endpoint",
+              "examples": ["5s", "15s", "1m"]
+            },
+            "user_code_entropy": {
+              "type": "string",
+              "description": "Sets the entropy for the user codes.",
+              "default": "medium",
+              "enum": ["high", "medium", "low"]
+            }
+          }
+        },
         "token_hook": {
           "description": "Sets the token hook endpoint for all grant types. If set it will be called while providing token to customize claims.",
           "examples": ["https://my-example.app/token-hook"],
@@ -1194,8 +1205,8 @@
             }
           ]
         }
-    }
-  },
+      }
+    },
     "secrets": {
       "type": "object",
       "additionalProperties": false,
@@ -1240,7 +1251,7 @@
       "examples": ["cpu"]
     },
     "tracing": {
-      "$ref": "https://raw.githubusercontent.com/ory/x/v0.0.675/otelx/config.schema.json"
+      "$ref": "ory://tracing-config"
     },
     "sqa": {
       "type": "object",

cmd/cmd_perform_device_flow.go

@@ -22,11 +22,10 @@ import (
 func NewPerformDeviceCodeCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:     "device-code",
-		Example: "{{ .CommandPath }} --client-id ... --client-secret ...",
+		Example: "{{ .CommandPath }} --client-id ...",
 		Short:   "An exemplary OAuth 2.0 Client performing the OAuth 2.0 Device Code Flow",
 		Long: `Performs the device code flow. Useful for getting an access token and an ID token in machines without a browser.
-The client that will be used MUST support the "client_secret_post" token-endpoint-auth-method.
-		`,
+The client that will be used MUST use the "none" or "client_secret_post" token-endpoint-auth-method.`,
 		RunE: func(cmd *cobra.Command, args []string) error {
 			client, endpoint, err := cliclient.NewClient(cmd)
 			if err != nil {
@@ -43,8 +42,8 @@ The client that will be used MUST support the "client_secret_post" token-endpoin
 
 			clientID := flagx.MustGetString(cmd, "client-id")
 			if clientID == "" {
-				_, _ = fmt.Fprint(cmd.OutOrStdout(), cmd.UsageString())
-				_, _ = fmt.Fprintln(cmd.OutOrStdout(), "Please provide a Client ID using --client-id flag, or OAUTH2_CLIENT_ID environment variable.")
+				_, _ = fmt.Fprintln(cmd.ErrOrStderr(), cmd.UsageString())
+				_, _ = fmt.Fprintln(cmd.ErrOrStderr(), "Please provide a Client ID using --client-id flag, or OAUTH2_CLIENT_ID environment variable.")
 				return cmdx.FailSilently(cmd)
 			}
 
@@ -79,24 +78,24 @@ The client that will be used MUST support the "client_secret_post" token-endpoin
 			)
 			if err != nil {
 				_, _ = fmt.Fprintf(
-					cmd.ErrOrStderr(), "Failed to perform the device authorization request: %s", err)
+					cmd.ErrOrStderr(), "Failed to perform the device authorization request: %s\n", err)
 				return cmdx.FailSilently(cmd)
 			}
 
 			_, _ = fmt.Fprintln(
-				cmd.OutOrStdout(),
+				cmd.ErrOrStderr(),
 				"To login please go to:\n\t",
 				deviceAuthResponse.VerificationURIComplete,
 			)
 
 			token, err := conf.DeviceAccessToken(ctx, deviceAuthResponse)
 			if err != nil {
 				_, _ = fmt.Fprintf(
-					cmd.ErrOrStderr(), "Failed to perform the device token request: %s", err)
+					cmd.ErrOrStderr(), "Failed to perform the device token request: %s\n", err)
 				return cmdx.FailSilently(cmd)
 			}
 
-			fmt.Println("Successfully signed in!")
+			_, _ = fmt.Fprintln(cmd.ErrOrStderr(), "Successfully signed in!")
 
 			cmdx.PrintRow(cmd, outputOAuth2Token(*token))
 			return nil

consent/handler.go

@@ -1157,7 +1157,6 @@ func (h *Handler) acceptUserCodeRequest(w http.ResponseWriter, r *http.Request,
 	}
 
 	f.RequestURL = reqURL.String()
-
 	hr, err := h.r.ConsentManager().HandleDeviceUserAuthRequest(ctx, f, challenge, &p)
 	if err != nil {
 		h.r.Writer().WriteError(w, r, err)

consent/strategy_default.go

@@ -1191,20 +1191,33 @@ func (s *DefaultStrategy) HandleOAuth2DeviceAuthorizationRequest(
 	ctx, span := trace.SpanFromContext(ctx).TracerProvider().Tracer("").Start(ctx, "DefaultStrategy.HandleOAuth2DeviceAuthorizationRequest")
 	defer otelx.End(span, &err)
 
+	// This handler has the following validation states:
+	//
+	// 1. The flow is initiated (no verifiers) -> we request a device verifier (can only be achieved by solving the device challenge)
+	// 2. Device verifier is given -> we request login verifier (can only be achieved by solving the login challenge)
+	// 3. Login verifier is given -> we request consent verifier (can only be achieved by solving the consent challenge)
+	// 4. Consent verifier is given -> done.
+
 	deviceVerifier := strings.TrimSpace(r.URL.Query().Get("device_verifier"))
 	loginVerifier := strings.TrimSpace(r.URL.Query().Get("login_verifier"))
 	consentVerifier := strings.TrimSpace(r.URL.Query().Get("consent_verifier"))
 
+	ar := fosite.NewAuthorizeRequest()
+
 	var deviceFlow *flow.Flow
 	if deviceVerifier == "" && loginVerifier == "" && consentVerifier == "" {
-		// ok, we need to process this request and redirect to device auth endpoint
+		// No verifiers are set, let's start by requesting the device verifier first.
 		return nil, nil, s.requestDevice(ctx, w, r)
 	} else if deviceVerifier != "" && loginVerifier == "" && consentVerifier == "" {
+		// Device verifier is set, but login and consent are not. So we need to verify the device.
 		var err error
 		deviceFlow, err = s.verifyDevice(ctx, w, r, deviceVerifier)
 		if err != nil {
 			return nil, nil, err
 		}
+
+		ar.RequestedScope = fosite.Arguments(deviceFlow.RequestedScope)
+		ar.RequestedAudience = fosite.Arguments(deviceFlow.RequestedAudience)
 	}
 
 	// Validate client_id
@@ -1220,18 +1233,15 @@ func (s *DefaultStrategy) HandleOAuth2DeviceAuthorizationRequest(
 	}
 
 	// Fake an authorization request to instantiate the flow.
-	ar := fosite.NewAuthorizeRequest()
 	ar.Client = c
 	ar.Form = r.Form
-	if deviceFlow != nil {
-		ar.RequestedScope = fosite.Arguments(deviceFlow.RequestedScope)
-		ar.RequestedAudience = fosite.Arguments(deviceFlow.RequestedAudience)
-	}
 
 	if loginVerifier == "" && consentVerifier == "" {
-		// ok, we need to process this request and redirect to the authentication endpoint
+		// Here we end up if the device has been verified, but login and verification are still missing.
+		// Let's request authentication.
 		return nil, nil, s.requestAuthentication(ctx, w, r, ar, deviceFlow)
 	} else if loginVerifier != "" {
+		// Login verification was given, let's verify!
 		f, err := s.verifyAuthentication(ctx, w, r, ar, loginVerifier)
 		if err != nil {
 			return nil, nil, err
@@ -1241,6 +1251,7 @@ func (s *DefaultStrategy) HandleOAuth2DeviceAuthorizationRequest(
 		return nil, f, s.requestConsent(ctx, w, r, ar, f)
 	}
 
+	// Here we end up when consent verifier is set, so we verify the consent.
 	var consentSession *flow.AcceptOAuth2ConsentRequest
 	var f *flow.Flow
 

contrib/quickstart/5-min/hydra.yml

@@ -8,8 +8,9 @@ urls:
   consent: http://127.0.0.1:3000/consent
   login: http://127.0.0.1:3000/login
   logout: http://127.0.0.1:3000/logout
-  device_verification: http://127.0.0.1:3000/device/code
-  device_verification_success: http://127.0.0.1:3000/device/complete
+  device:
+    verification: http://127.0.0.1:3000/device/verify
+    success: http://127.0.0.1:3000/device/success
 
 secrets:
   system:

driver/config/provider.go

@@ -86,8 +86,8 @@ const (
 	KeyLogoutURL                                 = "urls.logout"
 	KeyConsentURL                                = "urls.consent"
 	KeyErrorURL                                  = "urls.error"
-	KeyDeviceVerificationURL                     = "urls.device_verification"
-	KeyDeviceDoneURL                             = "urls.device_verification_success"
+	KeyDeviceVerificationURL                     = "urls.device.verification"
+	KeyDeviceDoneURL                             = "urls.device.success"
 	KeyPublicURL                                 = "urls.self.public"
 	KeyAdminURL                                  = "urls.self.admin"
 	KeyIssuerURL                                 = "urls.self.issuer"

internal/.hydra.yaml

@@ -101,8 +101,9 @@ urls:
   consent: https://consent
   logout: https://logout
   error: https://error
-  device_verification: https://device
-  device_verification_success: https://device/callback
+  device:
+    verification: https://device
+    success: https://device/callback
   post_logout_redirect: https://post_logout
 
 strategies: