Add new device_auth_client_type setting to allow attaching the client_secret to device auth requests

2025-07-24 03:59:49 +02:00 · 2024-06-06 15:57:37 -04:00 · 2024-06-06 15:57:37 -04:00 · bd5ad2e909
commit bd5ad2e909
parent fb7440a607
9 changed files with 1052 additions and 984 deletions
--- a/pkg/identity/oidc/oidc.go
+++ b/pkg/identity/oidc/oidc.go
@ -48,6 +48,8 @@ type Provider struct {
 	// to the request flow signin url.
 	AuthCodeOptions map[string]string

+	DeviceAuthClientType string
+
 	mu       sync.Mutex
 	provider *go_oidc.Provider
 }
@ -65,6 +67,9 @@ func New(ctx context.Context, o *oauth.Options, options ...Option) (*Provider, e
 	if len(o.AuthCodeOptions) != 0 {
 		p.AuthCodeOptions = o.AuthCodeOptions
 	}
+	if o.DeviceAuthClientType != "" {
+		p.DeviceAuthClientType = o.DeviceAuthClientType
+	}

 	p.cfg = getConfig(append([]Option{
 		WithGetOauthConfig(func(provider *go_oidc.Provider) *oauth2.Config {
@ -128,6 +133,11 @@ func (p *Provider) DeviceAuth(w http.ResponseWriter, r *http.Request) (*oauth2.D
 	for k, v := range p.AuthCodeOptions {
 		opts = append(opts, oauth2.SetAuthURLParam(k, v))
 	}
+	switch p.DeviceAuthClientType {
+	case "", "public":
+	case "confidential":
+		opts = append(opts, oauth2.SetAuthURLParam("client_secret", oa.ClientSecret))
+	}

 	resp, err := oa.DeviceAuth(r.Context(), opts...)
 	if err != nil {