Skip to content

Check user code expiry and invalidity #1997

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Check user code expiry and invalidity #1997

wants to merge 1 commit into from

Conversation

antoinelauzon-bell
Copy link

It ensures that a user code is neither expired nor invalidated during the verification step. See gh-1894 and gh-1977 for more details.

Notes:

  • invalidat_grant appears to be the expected error code (see  RFC 6749, Section 5.2). It might be useful to distinguish these exceptions though (e.g. by using subclasses of OAuth2AuthenticationException).
  • A small gap remains where a user could verify a user code in the final seconds before it expires, leasing to an expired device code on the next poll from the initial device. This scenario would require very unlucky timing.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 5, 2025
@OrangeDog
Copy link

Would it not be better to just check isActive()? Not only is it less code, but it also covers cases you have missed.

colin-riddell
colin-riddell reviewed May 14, 2025
View reviewed changes
...uth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProvider.java
if (this.logger.isTraceEnabled()) {
this.logger.trace("User code is expired");
}
throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it worth providing more context on the error..

Suggested change
throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_GRANT, "User code is expired.", null);
throw new OAuth2AuthenticationException(error);

colin-riddell
colin-riddell reviewed May 14, 2025
View reviewed changes
...uth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProvider.java
if (this.logger.isTraceEnabled()) {
this.logger.trace("User code is invalided");
}
throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it worth providing more context on the error..

Suggested change
throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_GRANT, "User code is invalidated.", null);
throw new OAuth2AuthenticationException(error);

@colin-riddell colin-riddell mentioned this pull request May 14, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@colin-riddell colin-riddell colin-riddell left review comments

Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@antoinelauzon-bell @OrangeDog @colin-riddell @spring-projects-issues