Add new device_auth_client_type setting to allow attaching the client_secret to device auth requests

2025-08-03 00:40:25 +02:00 · 2024-06-06 15:57:37 -04:00 · 2024-06-06 15:57:37 -04:00 · b4aa275403
commit b4aa275403
parent 18aed33aa5
11 changed files with 312 additions and 249 deletions
--- a/pkg/identity/oidc/oidc.go
+++ b/pkg/identity/oidc/oidc.go
@ -49,6 +49,8 @@ type Provider struct {
 	// to the request flow signin url.
 	AuthCodeOptions map[string]string

+	DeviceAuthClientType string
+
 	mu       sync.Mutex
 	provider *go_oidc.Provider
 }
@ -66,6 +68,9 @@ func New(ctx context.Context, o *oauth.Options, options ...Option) (*Provider, e
 	if len(o.AuthCodeOptions) != 0 {
 		p.AuthCodeOptions = o.AuthCodeOptions
 	}
+	if o.DeviceAuthClientType != "" {
+		p.DeviceAuthClientType = o.DeviceAuthClientType
+	}

 	p.cfg = getConfig(append([]Option{
 		WithGetOauthConfig(func(provider *go_oidc.Provider) *oauth2.Config {
@ -133,6 +138,11 @@ func (p *Provider) DeviceAuth(w http.ResponseWriter, r *http.Request) (*oauth2.D
 	for k, v := range p.AuthCodeOptions {
 		opts = append(opts, oauth2.SetAuthURLParam(k, v))
 	}
+	switch p.DeviceAuthClientType {
+	case "", "public":
+	case "confidential":
+		opts = append(opts, oauth2.SetAuthURLParam("client_secret", oa.ClientSecret))
+	}

 	resp, err := oa.DeviceAuth(r.Context(), opts...)
 	if err != nil {