Skip to content

[13.x] Device Authorization Grant RFC8628 #1750

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 64 commits into from
Mar 7, 2025
Merged

[13.x] Device Authorization Grant RFC8628 #1750

merged 64 commits into from
Mar 7, 2025
+1,135 −12

Conversation

@hafezdivandari
Copy link
Contributor

@hafezdivandari hafezdivandari commented May 30, 2024
edited
Loading

This PR adds support for Device Authorization Grant RFC8628.

Additions

Grant type

ORM

  • oauth_device_codes table.
  • Laravel\Passport\DeviceCode model.
  • Passport::useDeviceCodeModel()

Routes

  • POST /device/code: Request device code / user code.
  • GET /device: Display a form for entering the user code.
  • GET /device/authorize: Display authorization consent.
  • POST /device/authorize: Approve authorization.
  • DELETE /device/authorize: Deny authorization.

Views

Commands

  • New --device option on passport:client command.
  • Ask user about enabling device flow on passport:client command.
  • Purge expired / revoked device codes via passport:purge command.

Device Authorization Grant

The OAuth2 device authorization grant allows browserless or limited input devices, such as TVs and game consoles, to obtain an access token by exchanging a "device code". When using device flow, the device client will instruct the user to use a secondary device, such as a computer or a smartphone and connect to your server where they will enter the provided "user code" and either approve or deny the access request.

To get started, we need to instruct Passport how to return our "user code" and "authorization" views. Remember, Passport is a headless OAuth2 library. If you would like a frontend implementation of Laravel's OAuth features that are already completed for you, you should use an application starter kit.

All the authorization view's rendering logic may be customized using the appropriate methods available via the Laravel\Passport\Passport class. Typically, you should call this method from the boot method of your application's App\Providers\AppServiceProvider class. Passport will take care of defining the routes that returns these views:

use Laravel\Passport\Passport;

/**
 * Bootstrap any application services.
 */
public function boot(): void
{
    Passport::deviceUserCodeView('auth.oauth.device.user-code');
    Passport::deviceAuthorizationView('auth.oauth.device.authorize');

    // ...
}

Creating a Device Code Grant Client

Before your application can issue tokens via the device authorization grant, you will need to create a device flow enabled client. You may do this using the passport:client Artisan command with the --device option. This command will create a first-party device flow enabled client and provide you with a client ID and secret:

php artisan passport:client --device

Additionally, you may use createDeviceAuthorizationGrantClient method on the ClientRepository class to register a third-party client that belongs to the given user:

use App\Models\User;
use Laravel\Passport\ClientRepository;

$user = User::find($userId);

$client = app(ClientRepository::class)->createDeviceAuthorizationGrantClient(
    user: $user,
    name: 'Example Device',
    confidential: false,
);

Requesting Tokens

Requesting Device Code

Once a client has been created, developers may use their client ID to request a device code from your application. First, the consuming device should make a POST request to your application's /oauth/device/code route to request a device code:

use Illuminate\Support\Facades\Http;

$response = Http::asForm()->post('http://passport-app.test/oauth/device/code', [
    'client_id' => 'client-id',
    'scope' => '',
]);

return $response->json();

This will return a JSON response containing device_code, user_code, verification_uri, interval and expires_in attributes. The expires_in attribute contains the number of seconds until the device code expires. The interval attribute contains the number of seconds, the consuming device should wait between requests, when polling \oauth\token route to avoid rate limit errors.

Note

Remember, the /oauth/device/code route is already defined by Passport. You do not need to manually define this route.

Displaying Verification URI and User Code

Once a device code request has been obtained, the consuming device should instruct the user to use another device and visit the provided verification_uri and enter the user_code in order to review the authorization request.

Polling Token Request

Since the user will be using a separate device to grant (or deny) access, the consuming device should poll your application's /oauth/token route to determine when the user has responded to the request. The consuming device should use the minimum polling interval provided in the JSON response when requesting device code to avoid rate limit errors:

use Illuminate\Support\Facades\Http;
use Illuminate\Support\Sleep;

$interval = 5;

do {
    Sleep::for($interval)->seconds();

    $response = Http::asForm()->post('http://passport-app.test/oauth/token', [
        'grant_type' => 'urn:ietf:params:oauth:grant-type:device_code',
        'client_id' => 'client-id',
        'client_secret' => 'client-secret', // required for confidential clients only
        'device_code' => 'device-code',
    ]);
    
    if ($response->json('error') === 'slow_down') {
        $interval += 5;
    }
} while (in_array($response->json('error'), ['authorization_pending', 'slow_down']));

return $response->json();

If the user has approved the authorization request, this will return a JSON response containing access_token, refresh_token, and expires_in attributes. The expires_in attribute contains the number of seconds until the access token expires.

@github-actions
Copy link

github-actions bot commented May 30, 2024

Thanks for submitting a PR!

Note that draft PR's are not reviewed. If you would like a review, please mark your pull request as ready for review in the GitHub user interface.

Pull requests that are abandoned in draft may be closed due to inactivity.

This was referenced Jul 29, 2024
Merged
Merged
@hafezdivandari hafezdivandari mentioned this pull request Aug 7, 2024
Draft
2 tasks
@hafezdivandari hafezdivandari mentioned this pull request Aug 26, 2024
Merged
@hafezdivandari hafezdivandari mentioned this pull request Nov 24, 2024
Closed
@hafezdivandari hafezdivandari marked this pull request as ready for review February 15, 2025 11:11
@hafezdivandari
Copy link
Contributor Author

hafezdivandari commented Feb 18, 2025

Hi @taylorotwell this is ready for review.

@hafezdivandari hafezdivandari mentioned this pull request Feb 19, 2025
Merged
@taylorotwell taylorotwell merged commit 9656b14 into laravel:13.x Mar 7, 2025
4 checks passed
@hafezdivandari hafezdivandari deleted the 13.x-device-code-grant branch March 7, 2025 17:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hafezdivandari @taylorotwell