feat(api): allow Device Authorization Grant using custom login UI (#9387)

# Which Problems Are Solved The OAuth2 Device Authorization Grant could not yet been handled through the new login UI, resp. using the session API. This PR adds the ability for the login UI to get the required information to display the user and handle their decision (approve with authorization or deny) using the OIDC Service API. # How the Problems Are Solved - Added a `GetDeviceAuthorizationRequest` endpoint, which allows getting the `id`, `client_id`, `scope`, `app_name` and `project_name` of the device authorization request - Added a `AuthorizeOrDenyDeviceAuthorization` endpoint, which allows to approve/authorize with the session information or deny the request. The identification of the request is done by the `device_authorization_id` / `id` returned in the previous request. - To prevent leaking the `device_code` to the UI, but still having an easy reference, it's encrypted and returned as `id`, resp. decrypted when used. - Fixed returned error types for device token responses on token endpoint: - Explicitly return `access_denied` (without internal error) when user denied the request - Default to `invalid_grant` instead of `access_denied` - Explicitly check on initial state when approving the reqeust - Properly handle done case (also relates to initial check) - Documented the flow and handling in custom UIs (according to OIDC / SAML) # Additional Changes - fixed some typos and punctuation in the corresponding OIDC / SAML guides. - added some missing translations for auth and saml request # Additional Context - closes #6239 --------- Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2025-08-11 18:07:31 +00:00 · 2025-02-25 07:33:13 +01:00
parent f2e82d57ac
commit 911200aa9b
39 changed files with 1210 additions and 35 deletions
--- a/internal/command/device_auth.go
+++ b/internal/command/device_auth.go
@@ -59,6 +59,9 @@ func (c *Commands) ApproveDeviceAuth(
 	if !model.State.Exists() {
 		return nil, zerrors.ThrowNotFound(nil, "COMMAND-Hief9", "Errors.DeviceAuth.NotFound")
 	}
+	if model.State != domain.DeviceAuthStateInitiated {
+		return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-GEJL3", "Errors.DeviceAuth.AlreadyHandled")
+	}
 	pushedEvents, err := c.eventstore.Push(ctx, deviceauth.NewApprovedEvent(ctx, model.aggregate, userID, userOrgID, authMethods, authTime, preferredLanguage, userAgent, sessionID))
 	if err != nil {
 		return nil, err
@@ -71,6 +74,60 @@ func (c *Commands) ApproveDeviceAuth(
 	return writeModelToObjectDetails(&model.WriteModel), nil
 }

+func (c *Commands) ApproveDeviceAuthWithSession(
+	ctx context.Context,
+	deviceCode,
+	sessionID,
+	sessionToken string,
+) (*domain.ObjectDetails, error) {
+	model, err := c.getDeviceAuthWriteModelByDeviceCode(ctx, deviceCode)
+	if err != nil {
+		return nil, err
+	}
+	if !model.State.Exists() {
+		return nil, zerrors.ThrowNotFound(nil, "COMMAND-D2hf2", "Errors.DeviceAuth.NotFound")
+	}
+	if model.State != domain.DeviceAuthStateInitiated {
+		return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-D30Jf", "Errors.DeviceAuth.AlreadyHandled")
+	}
+	if err := c.checkPermission(ctx, domain.PermissionSessionLink, model.ResourceOwner, ""); err != nil {
+		return nil, err
+	}
+
+	sessionWriteModel := NewSessionWriteModel(sessionID, authz.GetInstance(ctx).InstanceID())
+	err = c.eventstore.FilterToQueryReducer(ctx, sessionWriteModel)
+	if err != nil {
+		return nil, err
+	}
+	if err = sessionWriteModel.CheckIsActive(); err != nil {
+		return nil, err
+	}
+	if err := c.sessionTokenVerifier(ctx, sessionToken, sessionWriteModel.AggregateID, sessionWriteModel.TokenID); err != nil {
+		return nil, err
+	}
+
+	pushedEvents, err := c.eventstore.Push(ctx, deviceauth.NewApprovedEvent(
+		ctx,
+		model.aggregate,
+		sessionWriteModel.UserID,
+		sessionWriteModel.UserResourceOwner,
+		sessionWriteModel.AuthMethodTypes(),
+		sessionWriteModel.AuthenticationTime(),
+		sessionWriteModel.PreferredLanguage,
+		sessionWriteModel.UserAgent,
+		sessionID,
+	))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(model, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+
+	return writeModelToObjectDetails(&model.WriteModel), nil
+}
+
 func (c *Commands) CancelDeviceAuth(ctx context.Context, id string, reason domain.DeviceAuthCanceled) (*domain.ObjectDetails, error) {
 	model, err := c.getDeviceAuthWriteModelByDeviceCode(ctx, id)
 	if err != nil {
--- a/internal/command/device_auth_model.go
+++ b/internal/command/device_auth_model.go
@@ -82,6 +82,7 @@ func (m *DeviceAuthWriteModel) Query() *eventstore.SearchQueryBuilder {
 			deviceauth.AddedEventType,
 			deviceauth.ApprovedEventType,
 			deviceauth.CanceledEventType,
+			deviceauth.DoneEventType,
 		).
 		Builder()
 }
--- a/internal/command/device_auth_test.go
+++ b/internal/command/device_auth_test.go
@@ -23,6 +23,7 @@ import (
 	"github.com/zitadel/zitadel/internal/id/mock"
 	"github.com/zitadel/zitadel/internal/repository/deviceauth"
 	"github.com/zitadel/zitadel/internal/repository/oidcsession"
+	"github.com/zitadel/zitadel/internal/repository/session"
 	"github.com/zitadel/zitadel/internal/repository/user"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )
@@ -265,6 +266,310 @@ func TestCommands_ApproveDeviceAuth(t *testing.T) {
 	}
 }

+func TestCommands_ApproveDeviceAuthFromSession(t *testing.T) {
+	ctx := authz.WithInstanceID(context.Background(), "instance1")
+	now := time.Now()
+	pushErr := errors.New("pushErr")
+
+	type fields struct {
+		eventstore      func(*testing.T) *eventstore.Eventstore
+		tokenVerifier   func(ctx context.Context, sessionToken, sessionID, tokenID string) (err error)
+		checkPermission domain.PermissionCheck
+	}
+	type args struct {
+		ctx          context.Context
+		deviceCode   string
+		sessionID    string
+		sessionToken string
+	}
+	tests := []struct {
+		name        string
+		fields      fields
+		args        args
+		wantDetails *domain.ObjectDetails
+		wantErr     error
+	}{
+		{
+			name: "not found error",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(),
+				),
+			},
+			args: args{
+				ctx,
+				"notfound",
+				"sessionID",
+				"sessionToken",
+			},
+			wantErr: zerrors.ThrowNotFound(nil, "COMMAND-D2hf2", "Errors.DeviceAuth.NotFound"),
+		},
+		{
+			name: "not initialized, error",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusherWithInstanceID(
+							"instance1",
+							deviceauth.NewAddedEvent(
+								ctx,
+								deviceauth.NewAggregate("deviceCode", "instance1"),
+								"client_id", "deviceCode", "456", now,
+								[]string{"a", "b", "c"},
+								[]string{"projectID", "clientID"}, true,
+							),
+						),
+						eventFromEventPusherWithInstanceID(
+							"instance1",
+							deviceauth.NewCanceledEvent(
+								ctx,
+								deviceauth.NewAggregate("deviceCode", "instance1"),
+								domain.DeviceAuthCanceledDenied,
+							)),
+					),
+				),
+			},
+			args: args{
+				ctx,
+				"deviceCode",
+				"sessionID",
+				"sessionToken",
+			},
+			wantErr: zerrors.ThrowPreconditionFailed(nil, "COMMAND-D30Jf", "Errors.DeviceAuth.AlreadyHandled"),
+		},
+		{
+			name: "missing permission, error",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(eventFromEventPusherWithInstanceID(
+						"instance1",
+						deviceauth.NewAddedEvent(
+							ctx,
+							deviceauth.NewAggregate("deviceCode", "instance1"),
+							"client_id", "deviceCode", "456", now,
+							[]string{"a", "b", "c"},
+							[]string{"projectID", "clientID"}, true,
+						),
+					)),
+				),
+				checkPermission: newMockPermissionCheckNotAllowed(),
+			},
+			args: args{
+				ctx,
+				"deviceCode",
+				"sessionID",
+				"sessionToken",
+			},
+			wantErr: zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"),
+		},
+		{
+			name: "session not active, error",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(eventFromEventPusherWithInstanceID(
+						"instance1",
+						deviceauth.NewAddedEvent(
+							ctx,
+							deviceauth.NewAggregate("deviceCode", "instance1"),
+							"client_id", "deviceCode", "456", now,
+							[]string{"a", "b", "c"},
+							[]string{"projectID", "clientID"}, true,
+						),
+					)),
+					expectFilter(),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				ctx,
+				"deviceCode",
+				"sessionID",
+				"sessionToken",
+			},
+			wantErr: zerrors.ThrowPreconditionFailed(nil, "COMMAND-Flk38", "Errors.Session.NotExisting"),
+		},
+		{
+			name: "invalid session token, error",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(eventFromEventPusherWithInstanceID(
+						"instance1",
+						deviceauth.NewAddedEvent(
+							ctx,
+							deviceauth.NewAggregate("deviceCode", "instance1"),
+							"client_id", "deviceCode", "456", now,
+							[]string{"a", "b", "c"},
+							[]string{"projectID", "clientID"}, true,
+						),
+					)),
+					expectFilter(eventFromEventPusherWithInstanceID(
+						"instance1",
+						session.NewAddedEvent(ctx,
+							&session.NewAggregate("sessionID", "instance1").Aggregate,
+							&domain.UserAgent{
+								FingerprintID: gu.Ptr("fp1"),
+								IP:            net.ParseIP("1.2.3.4"),
+								Description:   gu.Ptr("firefox"),
+								Header:        http.Header{"foo": []string{"bar"}},
+							},
+						)),
+					)),
+				tokenVerifier:   newMockTokenVerifierInvalid(),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				ctx,
+				"deviceCode",
+				"sessionID",
+				"invalidToken",
+			},
+			wantErr: zerrors.ThrowPermissionDenied(nil, "COMMAND-sGr42", "Errors.Session.Token.Invalid"),
+		},
+		{
+			name: "push error",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(eventFromEventPusherWithInstanceID(
+						"instance1",
+						deviceauth.NewAddedEvent(
+							ctx,
+							deviceauth.NewAggregate("deviceCode", "instance1"),
+							"client_id", "deviceCode", "456", now,
+							[]string{"a", "b", "c"},
+							[]string{"projectID", "clientID"}, true,
+						),
+					)),
+					expectFilter(
+						eventFromEventPusher(
+							session.NewAddedEvent(ctx,
+								&session.NewAggregate("sessionID", "instance1").Aggregate,
+								&domain.UserAgent{
+									FingerprintID: gu.Ptr("fp1"),
+									IP:            net.ParseIP("1.2.3.4"),
+									Description:   gu.Ptr("firefox"),
+									Header:        http.Header{"foo": []string{"bar"}},
+								},
+							),
+						),
+						eventFromEventPusher(
+							session.NewUserCheckedEvent(ctx, &session.NewAggregate("sessionID", "instance1").Aggregate,
+								"userID", "orgID", testNow, &language.Afrikaans),
+						),
+						eventFromEventPusher(
+							session.NewPasswordCheckedEvent(ctx, &session.NewAggregate("sessionID", "instance1").Aggregate,
+								testNow),
+						),
+						eventFromEventPusherWithCreationDateNow(
+							session.NewLifetimeSetEvent(ctx, &session.NewAggregate("sessionID", "instance1").Aggregate,
+								2*time.Minute),
+						),
+					),
+					expectPushFailed(pushErr,
+						deviceauth.NewApprovedEvent(
+							ctx, deviceauth.NewAggregate("deviceCode", "instance1"), "userID", "orgID",
+							[]domain.UserAuthMethodType{domain.UserAuthMethodTypePassword},
+							testNow, &language.Afrikaans, &domain.UserAgent{
+								FingerprintID: gu.Ptr("fp1"),
+								IP:            net.ParseIP("1.2.3.4"),
+								Description:   gu.Ptr("firefox"),
+								Header:        http.Header{"foo": []string{"bar"}},
+							},
+							"sessionID",
+						),
+					),
+				),
+				tokenVerifier:   newMockTokenVerifierValid(),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				ctx,
+				"deviceCode",
+				"sessionID",
+				"sessionToken",
+			},
+			wantErr: pushErr,
+		},
+		{
+			name: "authorized",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(eventFromEventPusherWithInstanceID(
+						"instance1",
+						deviceauth.NewAddedEvent(
+							ctx,
+							deviceauth.NewAggregate("deviceCode", "instance1"),
+							"client_id", "deviceCode", "456", now,
+							[]string{"a", "b", "c"},
+							[]string{"projectID", "clientID"}, true,
+						),
+					)),
+					expectFilter(
+						eventFromEventPusher(
+							session.NewAddedEvent(ctx,
+								&session.NewAggregate("sessionID", "instance1").Aggregate,
+								&domain.UserAgent{
+									FingerprintID: gu.Ptr("fp1"),
+									IP:            net.ParseIP("1.2.3.4"),
+									Description:   gu.Ptr("firefox"),
+									Header:        http.Header{"foo": []string{"bar"}},
+								},
+							),
+						),
+						eventFromEventPusher(
+							session.NewUserCheckedEvent(ctx, &session.NewAggregate("sessionID", "instance1").Aggregate,
+								"userID", "orgID", testNow, &language.Afrikaans),
+						),
+						eventFromEventPusher(
+							session.NewPasswordCheckedEvent(ctx, &session.NewAggregate("sessionID", "instance1").Aggregate,
+								testNow),
+						),
+						eventFromEventPusherWithCreationDateNow(
+							session.NewLifetimeSetEvent(ctx, &session.NewAggregate("sessionID", "instance1").Aggregate,
+								2*time.Minute),
+						),
+					),
+					expectPush(
+						deviceauth.NewApprovedEvent(
+							ctx, deviceauth.NewAggregate("deviceCode", "instance1"), "userID", "orgID",
+							[]domain.UserAuthMethodType{domain.UserAuthMethodTypePassword},
+							testNow, &language.Afrikaans, &domain.UserAgent{
+								FingerprintID: gu.Ptr("fp1"),
+								IP:            net.ParseIP("1.2.3.4"),
+								Description:   gu.Ptr("firefox"),
+								Header:        http.Header{"foo": []string{"bar"}},
+							},
+							"sessionID",
+						),
+					),
+				),
+				tokenVerifier:   newMockTokenVerifierValid(),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				ctx,
+				"deviceCode",
+				"sessionID",
+				"sessionToken",
+			},
+			wantDetails: &domain.ObjectDetails{
+				ResourceOwner: "instance1",
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Commands{
+				eventstore:           tt.fields.eventstore(t),
+				sessionTokenVerifier: tt.fields.tokenVerifier,
+				checkPermission:      tt.fields.checkPermission,
+			}
+			gotDetails, err := c.ApproveDeviceAuthWithSession(tt.args.ctx, tt.args.deviceCode, tt.args.sessionID, tt.args.sessionToken)
+			require.ErrorIs(t, err, tt.wantErr)
+			assertObjectDetails(t, tt.wantDetails, gotDetails)
+		})
+	}
+}
+
 func TestCommands_CancelDeviceAuth(t *testing.T) {
 	ctx := authz.WithInstanceID(context.Background(), "instance1")
 	now := time.Now()