Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This PR adds support for the OIDC device flow. This is a much simpler authorization flow for command line usage, because it does not require an http callback to the client command. Requested and discussed in #103.
Design of Change
To enable device flow, first a new config setting oidc_device_auth_url must be set containing the full URL to the OIDC provider's device endpoint. This isn't ideal, but since golang/oauth2 does not yet support device flow, we don't have access to the device endpoint under the discovery URL. An alternative that could be done is to implement our own discovery of that endpoint.
Once oidc_device_auth_url is set, an individual role selects device flow by setting role_type="oidcdevice". Other roles can still use code flow with role_type="oidc" (which is still the default).
A small implementation of the oauth2 device flow that someone wrote in 2014 was copied here, and updated to be compliant with RFC8628.
Next, the
oidc/auth_url
API is modified to return the different "auth_url" that the user has to visit to authorize in a web browser. It will be a complete url if provided, otherwise there will be a "user_code" that has to also be shown to a user to separately enter into the web browser. There will always be a "device_code" to be passed back to the next API, and optionally there can be a default "interval" in seconds between polls for responses.When a "device_code" is present, then next a new API
oidc/device_wait
has to be called instead of theoidc/callback
used by the code flow. It needs to be given the "device_code", the "role", and optionally an "interval". This will wait for the user to respond, checking with the OIDC provider every interval seconds, and in the end return the same data thatoidc/callback
returns.Finally, the cli is modified to work with both the old API and the new one. There's no option to override the interval, but it could be added if requested. The default is 5 seconds if not set by the OIDC provider, which is what the RFC recommends.
Related Issues/Pull Requests
[ ] Issue #103
Contributor Checklist
[ ] Add relevant docs to upstream Vault repository, or sufficient reasoning why docs won’t be added yet
I will modify the relevant docs if this PR is acceptable
[ ] Add output for any tests not ran in CI to the PR description (eg, acceptance tests)
[x] Backwards compatible