Closed as duplicate of#1977
Closed as duplicate of#1977
Description
Hey folks!
Expected Behavior
I was wondering, should/could the device verification endpoint, specifically the OAuth2DeviceVerificationAuthenticationProvider's authenticate method reject expired user codes?
Perhaps before checking the scopes, the authorization's expiry for the device code could be checked and rejected with invalid_grant and an appropriate description
Current Behavior
When an expired user code for device auth is used on the verification endpoint, it's accepted even though it's expired. It seems it allows verification consent correctly too.
Context
Alternatives Considered:
- I guess we could check this manually with a device authentication verification override fairly easily ( and we'll probably do that, since we need to be able to tell on first hit of the verification endpoint if the user code is expired or not.
- I was also wondering if the OAuth2DeviceAuthorizationConsentAuthenticationProvider could handle, but suspect it might be better on that first hit of /oauth2/device_verification
Open to PR'ing this if it's suitable?