Add new device_auth_client_type setting to allow attaching the client_secret to device auth requests

2025-06-27 15:08:14 +02:00 · 2024-06-06 15:57:37 -04:00 · 2024-06-06 15:57:37 -04:00 · bd5ad2e909
commit bd5ad2e909
parent fb7440a607
9 changed files with 1052 additions and 984 deletions
--- a/authenticate/identity.go
+++ b/authenticate/identity.go
@ -24,12 +24,13 @@ func defaultGetIdentityProvider(options *config.Options, idpID string) (identity
 		return nil, err
 	}
 	return identity.NewAuthenticator(oauth.Options{
-		RedirectURL:     redirectURL,
-		ProviderName:    idp.GetType(),
-		ProviderURL:     idp.GetUrl(),
-		ClientID:        idp.GetClientId(),
-		ClientSecret:    idp.GetClientSecret(),
-		Scopes:          idp.GetScopes(),
-		AuthCodeOptions: idp.GetRequestParams(),
+		RedirectURL:          redirectURL,
+		ProviderName:         idp.GetType(),
+		ProviderURL:          idp.GetUrl(),
+		ClientID:             idp.GetClientId(),
+		ClientSecret:         idp.GetClientSecret(),
+		Scopes:               idp.GetScopes(),
+		AuthCodeOptions:      idp.GetRequestParams(),
+		DeviceAuthClientType: idp.GetDeviceAuthClientType(),
 	})
 }
--- a/config/identity.go
+++ b/config/identity.go
@ -1,6 +1,8 @@
 package config

 import (
+	"fmt"
+
 	"github.com/pomerium/pomerium/internal/urlutil"
 	"github.com/pomerium/pomerium/pkg/grpc/identity"
 )
@ -30,13 +32,21 @@ func (o *Options) GetIdentityProviderForPolicy(policy *Policy) (*identity.Provid
 		return nil, err
 	}

+	deviceAuthClientType := "public"
+	if o.DeviceAuthClientType != "" {
+		if deviceAuthClientType != "public" && deviceAuthClientType != "confidential" {
+			return nil, fmt.Errorf("config: invalid device auth client type %q", o.DeviceAuthClientType)
+		}
+		deviceAuthClientType = o.DeviceAuthClientType
+	}
 	idp := &identity.Provider{
-		ClientId:      o.ClientID,
-		ClientSecret:  clientSecret,
-		Type:          o.Provider,
-		Scopes:        o.Scopes,
-		Url:           o.ProviderURL,
-		RequestParams: o.RequestParams,
+		ClientId:             o.ClientID,
+		ClientSecret:         clientSecret,
+		Type:                 o.Provider,
+		Scopes:               o.Scopes,
+		Url:                  o.ProviderURL,
+		RequestParams:        o.RequestParams,
+		DeviceAuthClientType: &deviceAuthClientType,
 	}
 	if policy != nil {
 		if policy.IDPClientID != "" {
--- a/config/options.go
+++ b/config/options.go
@ -156,6 +156,11 @@ type Options struct {
 	ProviderURL      string   `mapstructure:"idp_provider_url" yaml:"idp_provider_url,omitempty"`
 	Scopes           []string `mapstructure:"idp_scopes" yaml:"idp_scopes,omitempty"`

+	// Either "public" or "confidential". Defaults to "public".
+	// If set to "confidential", the client_secret will be used when requesting a
+	// device code for the device authorization grant type.
+	DeviceAuthClientType string `mapstructure:"device_auth_client_type" yaml:"device_auth_client_type,omitempty"`
+
 	// RequestParams are custom request params added to the signin request as
 	// part of an Oauth2 code flow.
 	//
@ -1471,6 +1476,7 @@ func (o *Options) ApplySettings(ctx context.Context, certsIndex *cryptutil.Certi
 	set(&o.ClientSecret, settings.IdpClientSecret)
 	set(&o.Provider, settings.IdpProvider)
 	set(&o.ProviderURL, settings.IdpProviderUrl)
+	set(&o.DeviceAuthClientType, settings.DeviceAuthClientType)
 	setSlice(&o.Scopes, settings.Scopes)
 	setMap(&o.RequestParams, settings.RequestParams)
 	setSlice(&o.AuthorizeURLStrings, settings.AuthorizeServiceUrls)
--- a/pkg/grpc/config/config.pb.go
+++ b/pkg/grpc/config/config.pb.go
--- a/pkg/grpc/config/config.proto
+++ b/pkg/grpc/config/config.proto
@ -133,7 +133,7 @@ message Policy {
  string remediation = 9;
 }

-// Next ID: 119.
+// Next ID: 120.
 message Settings {
  message Certificate {
    bytes cert_bytes = 3;
@ -172,6 +172,7 @@ message Settings {
  optional string idp_client_secret = 23;
  optional string idp_provider = 24;
  optional string idp_provider_url = 25;
+  optional string device_auth_client_type = 119;
  repeated string scopes = 26;
  // optional string idp_service_account = 27;
  // optional google.protobuf.Duration idp_refresh_directory_timeout = 28;
--- a/pkg/grpc/identity/identity.pb.go
+++ b/pkg/grpc/identity/identity.pb.go
@ -1,8 +1,8 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.26.0
-// 	protoc        v3.21.7
-// source: identity.proto
+// 	protoc-gen-go v1.34.1
+// 	protoc        (unknown)
+// source: github.com/pomerium/pomerium/pkg/grpc/identity/identity.proto

 package identity

@ -32,14 +32,15 @@ type Provider struct {
 	Type         string   `protobuf:"bytes,4,opt,name=type,proto3" json:"type,omitempty"`
 	Scopes       []string `protobuf:"bytes,5,rep,name=scopes,proto3" json:"scopes,omitempty"`
 	// string service_account = 6;
-	Url           string            `protobuf:"bytes,7,opt,name=url,proto3" json:"url,omitempty"`
-	RequestParams map[string]string `protobuf:"bytes,8,rep,name=request_params,json=requestParams,proto3" json:"request_params,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Url                  string            `protobuf:"bytes,7,opt,name=url,proto3" json:"url,omitempty"`
+	RequestParams        map[string]string `protobuf:"bytes,8,rep,name=request_params,json=requestParams,proto3" json:"request_params,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	DeviceAuthClientType *string           `protobuf:"bytes,9,opt,name=device_auth_client_type,json=deviceAuthClientType,proto3,oneof" json:"device_auth_client_type,omitempty"`
 }

 func (x *Provider) Reset() {
 	*x = Provider{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_identity_proto_msgTypes[0]
+		mi := &file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_msgTypes[0]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@ -52,7 +53,7 @@ func (x *Provider) String() string {
 func (*Provider) ProtoMessage() {}

 func (x *Provider) ProtoReflect() protoreflect.Message {
-	mi := &file_identity_proto_msgTypes[0]
+	mi := &file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_msgTypes[0]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@ -65,7 +66,7 @@ func (x *Provider) ProtoReflect() protoreflect.Message {

 // Deprecated: Use Provider.ProtoReflect.Descriptor instead.
 func (*Provider) Descriptor() ([]byte, []int) {
-	return file_identity_proto_rawDescGZIP(), []int{0}
+	return file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_rawDescGZIP(), []int{0}
 }

 func (x *Provider) GetId() string {
@ -117,6 +118,13 @@ func (x *Provider) GetRequestParams() map[string]string {
 	return nil
 }

+func (x *Provider) GetDeviceAuthClientType() string {
+	if x != nil && x.DeviceAuthClientType != nil {
+		return *x.DeviceAuthClientType
+	}
+	return ""
+}
+
 type Profile struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@ -131,7 +139,7 @@ type Profile struct {
 func (x *Profile) Reset() {
 	*x = Profile{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_identity_proto_msgTypes[1]
+		mi := &file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_msgTypes[1]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@ -144,7 +152,7 @@ func (x *Profile) String() string {
 func (*Profile) ProtoMessage() {}

 func (x *Profile) ProtoReflect() protoreflect.Message {
-	mi := &file_identity_proto_msgTypes[1]
+	mi := &file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_msgTypes[1]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@ -157,7 +165,7 @@ func (x *Profile) ProtoReflect() protoreflect.Message {

 // Deprecated: Use Profile.ProtoReflect.Descriptor instead.
 func (*Profile) Descriptor() ([]byte, []int) {
-	return file_identity_proto_rawDescGZIP(), []int{1}
+	return file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_rawDescGZIP(), []int{1}
 }

 func (x *Profile) GetProviderId() string {
@ -188,68 +196,77 @@ func (x *Profile) GetClaims() *structpb.Struct {
 	return nil
 }

-var File_identity_proto protoreflect.FileDescriptor
+var File_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto protoreflect.FileDescriptor

-var file_identity_proto_rawDesc = []byte{
-	0x0a, 0x0e, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x12, 0x11, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2e, 0x69, 0x64, 0x65, 0x6e, 0x74,
-	0x69, 0x74, 0x79, 0x1a, 0x1c, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x62, 0x75, 0x66, 0x2f, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x22, 0xb3, 0x02, 0x0a, 0x08, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x12, 0x0e,
-	0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x1b,
-	0x0a, 0x09, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x08, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49, 0x64, 0x12, 0x23, 0x0a, 0x0d, 0x63,
-	0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x18, 0x03, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x0c, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74,
-	0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
-	0x74, 0x79, 0x70, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x73, 0x18, 0x05,
-	0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x73, 0x12, 0x10, 0x0a, 0x03,
-	0x75, 0x72, 0x6c, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x12, 0x55,
-	0x0a, 0x0e, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x70, 0x61, 0x72, 0x61, 0x6d, 0x73,
-	0x18, 0x08, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2e, 0x2e, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75,
-	0x6d, 0x2e, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x50, 0x72, 0x6f, 0x76, 0x69,
-	0x64, 0x65, 0x72, 0x2e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x50, 0x61, 0x72, 0x61, 0x6d,
-	0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0d, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x50,
-	0x61, 0x72, 0x61, 0x6d, 0x73, 0x1a, 0x40, 0x0a, 0x12, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
-	0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b,
-	0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a,
-	0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61,
-	0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x97, 0x01, 0x0a, 0x07, 0x50, 0x72, 0x6f, 0x66,
-	0x69, 0x6c, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x5f,
-	0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64,
-	0x65, 0x72, 0x49, 0x64, 0x12, 0x19, 0x0a, 0x08, 0x69, 0x64, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x69, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12,
-	0x1f, 0x0a, 0x0b, 0x6f, 0x61, 0x75, 0x74, 0x68, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x03,
-	0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x6f, 0x61, 0x75, 0x74, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e,
-	0x12, 0x2f, 0x0a, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b,
-	0x32, 0x17, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
-	0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x75, 0x63, 0x74, 0x52, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d,
-	0x73, 0x42, 0x30, 0x5a, 0x2e, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
-	0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75,
-	0x6d, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x69, 0x64, 0x65, 0x6e, 0x74,
-	0x69, 0x74, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+var file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_rawDesc = []byte{
+	0x0a, 0x3d, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6f, 0x6d,
+	0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70,
+	0x6b, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79,
+	0x2f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12,
+	0x11, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2e, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69,
+	0x74, 0x79, 0x1a, 0x1c, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x62, 0x75, 0x66, 0x2f, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x22, 0x8b, 0x03, 0x0a, 0x08, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x12, 0x0e, 0x0a,
+	0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x1b, 0x0a,
+	0x09, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x08, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49, 0x64, 0x12, 0x23, 0x0a, 0x0d, 0x63, 0x6c,
+	0x69, 0x65, 0x6e, 0x74, 0x5f, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x0c, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x12,
+	0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74,
+	0x79, 0x70, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x73, 0x18, 0x05, 0x20,
+	0x03, 0x28, 0x09, 0x52, 0x06, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x75,
+	0x72, 0x6c, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x12, 0x55, 0x0a,
+	0x0e, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x70, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x18,
+	0x08, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2e, 0x2e, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d,
+	0x2e, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64,
+	0x65, 0x72, 0x2e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73,
+	0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0d, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x50, 0x61,
+	0x72, 0x61, 0x6d, 0x73, 0x12, 0x3a, 0x0a, 0x17, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x61,
+	0x75, 0x74, 0x68, 0x5f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18,
+	0x09, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x14, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41,
+	0x75, 0x74, 0x68, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, 0x65, 0x88, 0x01, 0x01,
+	0x1a, 0x40, 0x0a, 0x12, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x50, 0x61, 0x72, 0x61, 0x6d,
+	0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75,
+	0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02,
+	0x38, 0x01, 0x42, 0x1a, 0x0a, 0x18, 0x5f, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x61, 0x75,
+	0x74, 0x68, 0x5f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x22, 0x97,
+	0x01, 0x0a, 0x07, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x72,
+	0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x0a, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x49, 0x64, 0x12, 0x19, 0x0a, 0x08, 0x69,
+	0x64, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x69,
+	0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x1f, 0x0a, 0x0b, 0x6f, 0x61, 0x75, 0x74, 0x68, 0x5f,
+	0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x6f, 0x61, 0x75,
+	0x74, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x2f, 0x0a, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d,
+	0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
+	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x75, 0x63, 0x74,
+	0x52, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x42, 0x30, 0x5a, 0x2e, 0x67, 0x69, 0x74, 0x68,
+	0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f,
+	0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x72, 0x70,
+	0x63, 0x2f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x33,
 }

 var (
-	file_identity_proto_rawDescOnce sync.Once
-	file_identity_proto_rawDescData = file_identity_proto_rawDesc
+	file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_rawDescOnce sync.Once
+	file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_rawDescData = file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_rawDesc
 )

-func file_identity_proto_rawDescGZIP() []byte {
-	file_identity_proto_rawDescOnce.Do(func() {
-		file_identity_proto_rawDescData = protoimpl.X.CompressGZIP(file_identity_proto_rawDescData)
+func file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_rawDescGZIP() []byte {
+	file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_rawDescOnce.Do(func() {
+		file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_rawDescData = protoimpl.X.CompressGZIP(file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_rawDescData)
 	})
-	return file_identity_proto_rawDescData
+	return file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_rawDescData
 }

-var file_identity_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
-var file_identity_proto_goTypes = []interface{}{
+var file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
+var file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_goTypes = []interface{}{
 	(*Provider)(nil),        // 0: pomerium.identity.Provider
 	(*Profile)(nil),         // 1: pomerium.identity.Profile
 	nil,                     // 2: pomerium.identity.Provider.RequestParamsEntry
 	(*structpb.Struct)(nil), // 3: google.protobuf.Struct
 }
-var file_identity_proto_depIdxs = []int32{
+var file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_depIdxs = []int32{
 	2, // 0: pomerium.identity.Provider.request_params:type_name -> pomerium.identity.Provider.RequestParamsEntry
 	3, // 1: pomerium.identity.Profile.claims:type_name -> google.protobuf.Struct
 	2, // [2:2] is the sub-list for method output_type
@ -259,13 +276,13 @@ var file_identity_proto_depIdxs = []int32{
 	0, // [0:2] is the sub-list for field type_name
 }

-func init() { file_identity_proto_init() }
-func file_identity_proto_init() {
-	if File_identity_proto != nil {
+func init() { file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_init() }
+func file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_init() {
+	if File_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto != nil {
 		return
 	}
 	if !protoimpl.UnsafeEnabled {
-		file_identity_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+		file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*Provider); i {
 			case 0:
 				return &v.state
@ -277,7 +294,7 @@ func file_identity_proto_init() {
 				return nil
 			}
 		}
-		file_identity_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+		file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*Profile); i {
 			case 0:
 				return &v.state
@ -290,22 +307,23 @@ func file_identity_proto_init() {
 			}
 		}
 	}
+	file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_msgTypes[0].OneofWrappers = []interface{}{}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_identity_proto_rawDesc,
+			RawDescriptor: file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_rawDesc,
 			NumEnums:      0,
 			NumMessages:   3,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
-		GoTypes:           file_identity_proto_goTypes,
-		DependencyIndexes: file_identity_proto_depIdxs,
-		MessageInfos:      file_identity_proto_msgTypes,
+		GoTypes:           file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_goTypes,
+		DependencyIndexes: file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_depIdxs,
+		MessageInfos:      file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_msgTypes,
 	}.Build()
-	File_identity_proto = out.File
-	file_identity_proto_rawDesc = nil
-	file_identity_proto_goTypes = nil
-	file_identity_proto_depIdxs = nil
+	File_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto = out.File
+	file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_rawDesc = nil
+	file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_goTypes = nil
+	file_github_com_pomerium_pomerium_pkg_grpc_identity_identity_proto_depIdxs = nil
 }
--- a/pkg/grpc/identity/identity.proto
+++ b/pkg/grpc/identity/identity.proto
@ -1,24 +1,26 @@
 syntax = "proto3";

 package pomerium.identity;
-option go_package = "github.com/pomerium/pomerium/pkg/grpc/identity";

 import "google/protobuf/struct.proto";

+option go_package = "github.com/pomerium/pomerium/pkg/grpc/identity";
+
 message Provider {
-  string id = 1;
-  string client_id = 2;
-  string client_secret = 3;
-  string type = 4;
-  repeated string scopes = 5;
+  string          id            = 1;
+  string          client_id     = 2;
+  string          client_secret = 3;
+  string          type          = 4;
+  repeated string scopes        = 5;
  // string service_account = 6;
-  string url = 7;
-  map<string, string> request_params = 8;
+  string              url                     = 7;
+  map<string, string> request_params          = 8;
+  optional string     device_auth_client_type = 9;
 }

 message Profile {
-  string provider_id = 1;
-  bytes id_token = 2;
-  bytes oauth_token = 3;
-  google.protobuf.Struct claims = 4;
+  string                 provider_id = 1;
+  bytes                  id_token    = 2;
+  bytes                  oauth_token = 3;
+  google.protobuf.Struct claims      = 4;
 }
--- a/pkg/identity/oauth/options.go
+++ b/pkg/identity/oauth/options.go
@ -29,4 +29,6 @@ type Options struct {
 	// AuthCodeOptions specifies additional key value pairs query params to add
 	// to the request flow signin url.
 	AuthCodeOptions map[string]string
+
+	DeviceAuthClientType string
 }
--- a/pkg/identity/oidc/oidc.go
+++ b/pkg/identity/oidc/oidc.go
@ -48,6 +48,8 @@ type Provider struct {
 	// to the request flow signin url.
 	AuthCodeOptions map[string]string

+	DeviceAuthClientType string
+
 	mu       sync.Mutex
 	provider *go_oidc.Provider
 }
@ -65,6 +67,9 @@ func New(ctx context.Context, o *oauth.Options, options ...Option) (*Provider, e
 	if len(o.AuthCodeOptions) != 0 {
 		p.AuthCodeOptions = o.AuthCodeOptions
 	}
+	if o.DeviceAuthClientType != "" {
+		p.DeviceAuthClientType = o.DeviceAuthClientType
+	}

 	p.cfg = getConfig(append([]Option{
 		WithGetOauthConfig(func(provider *go_oidc.Provider) *oauth2.Config {
@ -128,6 +133,11 @@ func (p *Provider) DeviceAuth(w http.ResponseWriter, r *http.Request) (*oauth2.D
 	for k, v := range p.AuthCodeOptions {
 		opts = append(opts, oauth2.SetAuthURLParam(k, v))
 	}
+	switch p.DeviceAuthClientType {
+	case "", "public":
+	case "confidential":
+		opts = append(opts, oauth2.SetAuthURLParam("client_secret", oa.ClientSecret))
+	}

 	resp, err := oa.DeviceAuth(r.Context(), opts...)
 	if err != nil {