feat: device authorization RFC 8628 (#5646)

* device auth: implement the write events * add grant type device code * fix(init): check if default value implements stringer --------- Co-authored-by: adlerhurst <silvan.reusser@gmail.com>
2025-08-11 19:17:32 +00:00 · 2023-04-19 11:46:02 +03:00
parent 3cd2cecfdf
commit 5819924275
49 changed files with 2313 additions and 38 deletions
--- a/internal/repository/deviceauth/aggregate.go
+++ b/internal/repository/deviceauth/aggregate.go
@@ -0,0 +1,19 @@
+package deviceauth
+
+import "github.com/zitadel/zitadel/internal/eventstore"
+
+const (
+	AggregateType    = "device_auth"
+	AggregateVersion = "v1"
+)
+
+func NewAggregate(aggrID, instanceID string) *eventstore.Aggregate {
+	return &eventstore.Aggregate{
+		ID:   aggrID,
+		Type: AggregateType,
+		// we use the id because we don't know the resource owner yet
+		ResourceOwner: instanceID,
+		InstanceID:    instanceID,
+		Version:       AggregateVersion,
+	}
+}
--- a/internal/repository/deviceauth/constraints.go
+++ b/internal/repository/deviceauth/constraints.go
@@ -0,0 +1,46 @@
+package deviceauth
+
+import (
+	"strings"
+
+	"github.com/zitadel/zitadel/internal/eventstore"
+)
+
+const (
+	UniqueUserCode      = "user_code"
+	UniqueDeviceCode    = "device_code"
+	DuplicateUserCode   = "Errors.DeviceUserCode.AlreadyExists"
+	DuplicateDeviceCode = "Errors.DeviceCode.AlreadyExists"
+)
+
+func deviceCodeUniqueField(clientID, deviceCode string) string {
+	return strings.Join([]string{clientID, deviceCode}, ":")
+}
+
+func NewAddUniqueConstraints(clientID, deviceCode, userCode string) []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{
+		eventstore.NewAddEventUniqueConstraint(
+			UniqueDeviceCode,
+			deviceCodeUniqueField(clientID, deviceCode),
+			DuplicateDeviceCode,
+		),
+		eventstore.NewAddEventUniqueConstraint(
+			UniqueUserCode,
+			userCode,
+			DuplicateUserCode,
+		),
+	}
+}
+
+func NewRemoveUniqueConstraints(clientID, deviceCode, userCode string) []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{
+		eventstore.NewRemoveEventUniqueConstraint(
+			UniqueDeviceCode,
+			deviceCodeUniqueField(clientID, deviceCode),
+		),
+		eventstore.NewRemoveEventUniqueConstraint(
+			UniqueUserCode,
+			userCode,
+		),
+	}
+}
--- a/internal/repository/deviceauth/device_auth.go
+++ b/internal/repository/deviceauth/device_auth.go
@@ -0,0 +1,141 @@
+package deviceauth
+
+import (
+	"context"
+	"time"
+
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/eventstore"
+)
+
+const (
+	eventTypePrefix   eventstore.EventType = "device.authorization."
+	AddedEventType                         = eventTypePrefix + "added"
+	ApprovedEventType                      = eventTypePrefix + "approved"
+	CanceledEventType                      = eventTypePrefix + "canceled"
+	RemovedEventType                       = eventTypePrefix + "removed"
+)
+
+type AddedEvent struct {
+	*eventstore.BaseEvent
+
+	ClientID   string
+	DeviceCode string
+	UserCode   string
+	Expires    time.Time
+	Scopes     []string
+	State      domain.DeviceAuthState
+}
+
+func (e *AddedEvent) SetBaseEvent(b *eventstore.BaseEvent) {
+	e.BaseEvent = b
+}
+
+func (e *AddedEvent) Data() any {
+	return e
+}
+
+func (e *AddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return NewAddUniqueConstraints(e.ClientID, e.DeviceCode, e.UserCode)
+}
+
+func NewAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	clientID string,
+	deviceCode string,
+	userCode string,
+	expires time.Time,
+	scopes []string,
+) *AddedEvent {
+	return &AddedEvent{
+		eventstore.NewBaseEventForPush(
+			ctx, aggregate, AddedEventType,
+		),
+		clientID, deviceCode, userCode, expires, scopes, domain.DeviceAuthStateInitiated}
+}
+
+type ApprovedEvent struct {
+	*eventstore.BaseEvent
+
+	Subject string
+}
+
+func (e *ApprovedEvent) SetBaseEvent(b *eventstore.BaseEvent) {
+	e.BaseEvent = b
+}
+
+func (e *ApprovedEvent) Data() any {
+	return e
+}
+
+func (e *ApprovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewApprovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	subject string,
+) *ApprovedEvent {
+	return &ApprovedEvent{
+		eventstore.NewBaseEventForPush(
+			ctx, aggregate, ApprovedEventType,
+		),
+		subject,
+	}
+}
+
+type CanceledEvent struct {
+	*eventstore.BaseEvent
+	Reason domain.DeviceAuthCanceled
+}
+
+func (e *CanceledEvent) SetBaseEvent(b *eventstore.BaseEvent) {
+	e.BaseEvent = b
+}
+
+func (e *CanceledEvent) Data() any {
+	return e
+}
+
+func (e *CanceledEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewCanceledEvent(ctx context.Context, aggregate *eventstore.Aggregate, reason domain.DeviceAuthCanceled) *CanceledEvent {
+	return &CanceledEvent{eventstore.NewBaseEventForPush(ctx, aggregate, CanceledEventType), reason}
+}
+
+type RemovedEvent struct {
+	*eventstore.BaseEvent
+
+	ClientID   string
+	DeviceCode string
+	UserCode   string
+}
+
+func (e *RemovedEvent) SetBaseEvent(b *eventstore.BaseEvent) {
+	e.BaseEvent = b
+}
+
+func (e *RemovedEvent) Data() any {
+	return e
+}
+
+func (e *RemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return NewRemoveUniqueConstraints(e.ClientID, e.DeviceCode, e.UserCode)
+}
+
+func NewRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	clientID, deviceCode, userCode string,
+) *RemovedEvent {
+	return &RemovedEvent{
+		eventstore.NewBaseEventForPush(
+			ctx, aggregate, RemovedEventType,
+		),
+		clientID, deviceCode, userCode,
+	}
+}