Prototype device authorization flow (core)

pkg/identity/oidc/oidc.go

@@ -118,6 +118,62 @@ func (p *Provider) SignIn(w http.ResponseWriter, r *http.Request, state string)
 	return nil
 }
 
+func (p *Provider) DeviceAuth(w http.ResponseWriter, r *http.Request) (*oauth2.DeviceAuthResponse, error) {
+	oa, err := p.GetOauthConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	opts := defaultAuthCodeOptions
+	for k, v := range p.AuthCodeOptions {
+		opts = append(opts, oauth2.SetAuthURLParam(k, v))
+	}
+
+	resp, err := oa.DeviceAuth(r.Context(), opts...)
+	if err != nil {
+		return nil, err
+	}
+
+	return resp, nil
+}
+
+func (p *Provider) DeviceAccessToken(ctx context.Context, da *oauth2.DeviceAuthResponse, v identity.State) (*oauth2.Token, error) {
+	oa, err := p.GetOauthConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	oauth2Token, err := oa.DeviceAccessToken(ctx, da)
+	if err != nil {
+		return nil, err
+	}
+
+	//
+	// TODO: the rest of this function is copied from Authenticate
+	//
+
+	idToken, err := p.getIDToken(ctx, oauth2Token)
+	if err != nil {
+		return nil, fmt.Errorf("identity/oidc: failed getting id_token: %w", err)
+	}
+
+	if rawIDToken, ok := oauth2Token.Extra("id_token").(string); ok {
+		v.SetRawIDToken(rawIDToken)
+	}
+
+	// hydrate `v` using claims inside the returned `id_token`
+	// https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
+	if err := idToken.Claims(v); err != nil {
+		return nil, fmt.Errorf("identity/oidc: couldn't unmarshal extra claims %w", err)
+	}
+
+	if err := p.UpdateUserInfo(ctx, oauth2Token, v); err != nil {
+		return nil, fmt.Errorf("identity/oidc: couldn't update user info %w", err)
+	}
+
+	return oauth2Token, nil
+}
+
 // Authenticate converts an authorization code returned from the identity
 // provider into a token which is then converted into a user session.
 func (p *Provider) Authenticate(ctx context.Context, code string, v identity.State) (*oauth2.Token, error) {