feat(api): allow Device Authorization Grant using custom login UI (#9387)

# Which Problems Are Solved

The OAuth2 Device Authorization Grant could not yet been handled through
the new login UI, resp. using the session API.
This PR adds the ability for the login UI to get the required
information to display the user and handle their decision (approve with
authorization or deny) using the OIDC Service API.

# How the Problems Are Solved

- Added a `GetDeviceAuthorizationRequest` endpoint, which allows getting
the `id`, `client_id`, `scope`, `app_name` and `project_name` of the
device authorization request
- Added a `AuthorizeOrDenyDeviceAuthorization` endpoint, which allows to
approve/authorize with the session information or deny the request. The
identification of the request is done by the `device_authorization_id` /
`id` returned in the previous request.
- To prevent leaking the `device_code` to the UI, but still having an
easy reference, it's encrypted and returned as `id`, resp. decrypted
when used.
- Fixed returned error types for device token responses on token
endpoint:
- Explicitly return `access_denied` (without internal error) when user
denied the request
  - Default to `invalid_grant` instead of `access_denied`
- Explicitly check on initial state when approving the reqeust
- Properly handle done case (also relates to initial check) 
- Documented the flow and handling in custom UIs (according to OIDC /
SAML)

# Additional Changes

- fixed some typos and punctuation in the corresponding OIDC / SAML
guides.
- added some missing translations for auth and saml request

# Additional Context

- closes #6239

---------

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>

internal/api/grpc/oidc/v2/integration_test/oidc_test.go

@@ -13,6 +13,7 @@ import (
 	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	"github.com/zitadel/zitadel/internal/integration"
@@ -636,6 +637,230 @@ func TestServer_CreateCallback_Permission(t *testing.T) {
 	}
 }
 
+func TestServer_GetDeviceAuthorizationRequest(t *testing.T) {
+	project, err := Instance.CreateProject(CTX)
+	require.NoError(t, err)
+	client, err := Instance.CreateOIDCClient(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, app.OIDCGrantType_OIDC_GRANT_TYPE_DEVICE_CODE)
+	require.NoError(t, err)
+
+	tests := []struct {
+		name    string
+		dep     func() (*oidc.DeviceAuthorizationResponse, error)
+		ctx     context.Context
+		want    *oidc.DeviceAuthorizationResponse
+		wantErr bool
+	}{
+		{
+			name: "Not found",
+			dep: func() (*oidc.DeviceAuthorizationResponse, error) {
+				return &oidc.DeviceAuthorizationResponse{
+					UserCode: "notFound",
+				}, nil
+			},
+			ctx:     CTX,
+			wantErr: true,
+		},
+		{
+			name: "success",
+			dep: func() (*oidc.DeviceAuthorizationResponse, error) {
+				return Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid")
+			},
+			ctx: CTX,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			deviceAuth, err := tt.dep()
+			require.NoError(t, err)
+
+			got, err := Client.GetDeviceAuthorizationRequest(tt.ctx, &oidc_pb.GetDeviceAuthorizationRequestRequest{
+				UserCode: deviceAuth.UserCode,
+			})
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			authRequest := got.GetDeviceAuthorizationRequest()
+			assert.NotNil(t, authRequest)
+			assert.NotEmpty(t, authRequest.GetId())
+			assert.Equal(t, client.GetClientId(), authRequest.GetClientId())
+			assert.Contains(t, authRequest.GetScope(), "openid")
+			assert.NotEmpty(t, authRequest.GetAppName())
+			assert.NotEmpty(t, authRequest.GetProjectName())
+		})
+	}
+}
+
+func TestServer_AuthorizeOrDenyDeviceAuthorization(t *testing.T) {
+	project, err := Instance.CreateProject(CTX)
+	require.NoError(t, err)
+	client, err := Instance.CreateOIDCClient(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, app.OIDCGrantType_OIDC_GRANT_TYPE_DEVICE_CODE)
+	require.NoError(t, err)
+	sessionResp := createSession(t, CTX, Instance.Users[integration.UserTypeOrgOwner].ID)
+
+	tests := []struct {
+		name      string
+		ctx       context.Context
+		req       *oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest
+		AuthError string
+		want      *oidc_pb.AuthorizeOrDenyDeviceAuthorizationResponse
+		wantURL   *url.URL
+		wantErr   bool
+	}{
+		{
+			name: "Not found",
+			ctx:  CTX,
+			req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{
+				DeviceAuthorizationId: "123",
+				Decision: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest_Session{
+					Session: &oidc_pb.Session{
+						SessionId:    sessionResp.GetSessionId(),
+						SessionToken: sessionResp.GetSessionToken(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "session not found",
+			ctx:  CTX,
+			req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{
+				DeviceAuthorizationId: func() string {
+					req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid")
+					require.NoError(t, err)
+					var id string
+					assert.EventuallyWithT(t, func(collectT *assert.CollectT) {
+						resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{
+							UserCode: req.UserCode,
+						})
+						assert.NoError(t, err)
+						id = resp.GetDeviceAuthorizationRequest().GetId()
+					}, 5*time.Second, 100*time.Millisecond)
+					return id
+				}(),
+				Decision: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest_Session{
+					Session: &oidc_pb.Session{
+						SessionId:    "foo",
+						SessionToken: "bar",
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "session token invalid",
+			ctx:  CTX,
+			req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{
+				DeviceAuthorizationId: func() string {
+					req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid")
+					require.NoError(t, err)
+					var id string
+					assert.EventuallyWithT(t, func(collectT *assert.CollectT) {
+						resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{
+							UserCode: req.UserCode,
+						})
+						assert.NoError(collectT, err)
+						id = resp.GetDeviceAuthorizationRequest().GetId()
+					}, 5*time.Second, 100*time.Millisecond)
+					return id
+				}(),
+				Decision: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest_Session{
+					Session: &oidc_pb.Session{
+						SessionId:    sessionResp.GetSessionId(),
+						SessionToken: "bar",
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "deny device authorization",
+			ctx:  CTX,
+			req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{
+				DeviceAuthorizationId: func() string {
+					req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid")
+					require.NoError(t, err)
+					var id string
+					assert.EventuallyWithT(t, func(collectT *assert.CollectT) {
+						resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{
+							UserCode: req.UserCode,
+						})
+						assert.NoError(collectT, err)
+						id = resp.GetDeviceAuthorizationRequest().GetId()
+					}, 5*time.Second, 100*time.Millisecond)
+					return id
+				}(),
+				Decision: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest_Deny{},
+			},
+			want:    &oidc_pb.AuthorizeOrDenyDeviceAuthorizationResponse{},
+			wantErr: false,
+		},
+		{
+			name: "authorize, no permission, error",
+			ctx:  CTX,
+			req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{
+				DeviceAuthorizationId: func() string {
+					req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid")
+					require.NoError(t, err)
+					var id string
+					assert.EventuallyWithT(t, func(collectT *assert.CollectT) {
+						resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{
+							UserCode: req.UserCode,
+						})
+						assert.NoError(collectT, err)
+						id = resp.GetDeviceAuthorizationRequest().GetId()
+					}, 5*time.Second, 100*time.Millisecond)
+					return id
+				}(),
+				Decision: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest_Session{
+					Session: &oidc_pb.Session{
+						SessionId:    sessionResp.GetSessionId(),
+						SessionToken: sessionResp.GetSessionToken(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "authorize, with permission",
+			ctx:  CTXLoginClient,
+			req: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest{
+				DeviceAuthorizationId: func() string {
+					req, err := Instance.CreateDeviceAuthorizationRequest(CTX, client.GetClientId(), "openid")
+					require.NoError(t, err)
+					var id string
+					assert.EventuallyWithT(t, func(collectT *assert.CollectT) {
+						resp, err := Instance.Client.OIDCv2.GetDeviceAuthorizationRequest(CTX, &oidc_pb.GetDeviceAuthorizationRequestRequest{
+							UserCode: req.UserCode,
+						})
+						assert.NoError(collectT, err)
+						id = resp.GetDeviceAuthorizationRequest().GetId()
+					}, 5*time.Second, 100*time.Millisecond)
+					return id
+				}(),
+				Decision: &oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest_Session{
+					Session: &oidc_pb.Session{
+						SessionId:    sessionResp.GetSessionId(),
+						SessionToken: sessionResp.GetSessionToken(),
+					},
+				},
+			},
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_, err := Client.AuthorizeOrDenyDeviceAuthorization(tt.ctx, tt.req)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+		})
+	}
+}
+
 func createSession(t *testing.T, ctx context.Context, userID string) *session.CreateSessionResponse {
 	sessionResp, err := Instance.Client.SessionV2.CreateSession(ctx, &session.CreateSessionRequest{
 		Checks: &session.Checks{

internal/api/grpc/oidc/v2/oidc.go

@@ -2,6 +2,7 @@ package oidc
 
 import (
 	"context"
+	"encoding/base64"
 
 	"github.com/zitadel/logging"
 	"github.com/zitadel/oidc/v3/pkg/op"
@@ -28,6 +29,54 @@ func (s *Server) GetAuthRequest(ctx context.Context, req *oidc_pb.GetAuthRequest
 	}, nil
 }
 
+func (s *Server) CreateCallback(ctx context.Context, req *oidc_pb.CreateCallbackRequest) (*oidc_pb.CreateCallbackResponse, error) {
+	switch v := req.GetCallbackKind().(type) {
+	case *oidc_pb.CreateCallbackRequest_Error:
+		return s.failAuthRequest(ctx, req.GetAuthRequestId(), v.Error)
+	case *oidc_pb.CreateCallbackRequest_Session:
+		return s.linkSessionToAuthRequest(ctx, req.GetAuthRequestId(), v.Session)
+	default:
+		return nil, zerrors.ThrowUnimplementedf(nil, "OIDCv2-zee7A", "verification oneOf %T in method CreateCallback not implemented", v)
+	}
+}
+
+func (s *Server) GetDeviceAuthorizationRequest(ctx context.Context, req *oidc_pb.GetDeviceAuthorizationRequestRequest) (*oidc_pb.GetDeviceAuthorizationRequestResponse, error) {
+	deviceRequest, err := s.query.DeviceAuthRequestByUserCode(ctx, req.GetUserCode())
+	if err != nil {
+		return nil, err
+	}
+	encrypted, err := s.encryption.Encrypt([]byte(deviceRequest.DeviceCode))
+	if err != nil {
+		return nil, err
+	}
+	return &oidc_pb.GetDeviceAuthorizationRequestResponse{
+		DeviceAuthorizationRequest: &oidc_pb.DeviceAuthorizationRequest{
+			Id:          base64.RawURLEncoding.EncodeToString(encrypted),
+			ClientId:    deviceRequest.ClientID,
+			Scope:       deviceRequest.Scopes,
+			AppName:     deviceRequest.AppName,
+			ProjectName: deviceRequest.ProjectName,
+		},
+	}, nil
+}
+
+func (s *Server) AuthorizeOrDenyDeviceAuthorization(ctx context.Context, req *oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest) (*oidc_pb.AuthorizeOrDenyDeviceAuthorizationResponse, error) {
+	deviceCode, err := s.deviceCodeFromID(req.GetDeviceAuthorizationId())
+	if err != nil {
+		return nil, err
+	}
+	switch req.GetDecision().(type) {
+	case *oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest_Session:
+		_, err = s.command.ApproveDeviceAuthWithSession(ctx, deviceCode, req.GetSession().GetSessionId(), req.GetSession().GetSessionToken())
+	case *oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest_Deny:
+		_, err = s.command.CancelDeviceAuth(ctx, deviceCode, domain.DeviceAuthCanceledDenied)
+	}
+	if err != nil {
+		return nil, err
+	}
+	return &oidc_pb.AuthorizeOrDenyDeviceAuthorizationResponse{}, nil
+}
+
 func authRequestToPb(a *query.AuthRequest) *oidc_pb.AuthRequest {
 	pba := &oidc_pb.AuthRequest{
 		Id:           a.ID,
@@ -87,17 +136,6 @@ func (s *Server) checkPermission(ctx context.Context, clientID string, userID st
 	return nil
 }
 
-func (s *Server) CreateCallback(ctx context.Context, req *oidc_pb.CreateCallbackRequest) (*oidc_pb.CreateCallbackResponse, error) {
-	switch v := req.GetCallbackKind().(type) {
-	case *oidc_pb.CreateCallbackRequest_Error:
-		return s.failAuthRequest(ctx, req.GetAuthRequestId(), v.Error)
-	case *oidc_pb.CreateCallbackRequest_Session:
-		return s.linkSessionToAuthRequest(ctx, req.GetAuthRequestId(), v.Session)
-	default:
-		return nil, zerrors.ThrowUnimplementedf(nil, "OIDCv2-zee7A", "verification oneOf %T in method CreateCallback not implemented", v)
-	}
-}
-
 func (s *Server) failAuthRequest(ctx context.Context, authRequestID string, ae *oidc_pb.AuthorizationError) (*oidc_pb.CreateCallbackResponse, error) {
 	details, aar, err := s.command.FailAuthRequest(ctx, authRequestID, errorReasonToDomain(ae.GetError()))
 	if err != nil {
@@ -215,3 +253,11 @@ func errorReasonToOIDC(reason oidc_pb.ErrorReason) string {
 		return "server_error"
 	}
 }
+
+func (s *Server) deviceCodeFromID(deviceAuthID string) (string, error) {
+	decoded, err := base64.RawURLEncoding.DecodeString(deviceAuthID)
+	if err != nil {
+		return "", err
+	}
+	return s.encryption.DecryptString(decoded, s.encryption.EncryptionKeyID())
+}

internal/api/grpc/oidc/v2/server.go

@@ -7,6 +7,7 @@ import (
 	"github.com/zitadel/zitadel/internal/api/grpc/server"
 	"github.com/zitadel/zitadel/internal/api/oidc"
 	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/query"
 	oidc_pb "github.com/zitadel/zitadel/pkg/grpc/oidc/v2"
 )
@@ -20,6 +21,7 @@ type Server struct {
 
 	op             *oidc.Server
 	externalSecure bool
+	encryption     crypto.EncryptionAlgorithm
 }
 
 type Config struct{}
@@ -29,12 +31,14 @@ func CreateServer(
 	query *query.Queries,
 	op *oidc.Server,
 	externalSecure bool,
+	encryption crypto.EncryptionAlgorithm,
 ) *Server {
 	return &Server{
 		command:        command,
 		query:          query,
 		op:             op,
 		externalSecure: externalSecure,
+		encryption:     encryption,
 	}
 }