From c1fa70252a6f67aab519927229d117533941394d Mon Sep 17 00:00:00 2001 From: Thilina Shashimal Senarath Date: Wed, 25 Sep 2024 10:17:03 +0530 Subject: [PATCH] Add device code grant in Asgardeo --- .../authentication/oidc/implement-device-flow.md | 4 ++++ en/asgardeo/mkdocs.yml | 1 + .../authentication/oidc/implement-device-flow.md | 8 +++++--- en/includes/references/grant-types.md | 10 ++++------ 4 files changed, 14 insertions(+), 9 deletions(-) create mode 100644 en/asgardeo/docs/guides/authentication/oidc/implement-device-flow.md diff --git a/en/asgardeo/docs/guides/authentication/oidc/implement-device-flow.md b/en/asgardeo/docs/guides/authentication/oidc/implement-device-flow.md new file mode 100644 index 0000000000..80ec9281c3 --- /dev/null +++ b/en/asgardeo/docs/guides/authentication/oidc/implement-device-flow.md @@ -0,0 +1,4 @@ +{% set product_name = "Asgardeo" %} +{% set product_url_format = "https://api.asgardeo.io/t/{organization_name}" %} +{% set product_url_sample = "https://api.asgardeo.io/t/bifrost" %} +{% include "../../../../../includes/guides/authentication/oidc/implement-device-flow.md" %} diff --git a/en/asgardeo/mkdocs.yml b/en/asgardeo/mkdocs.yml index 10107625db..f3061a6b57 100644 --- a/en/asgardeo/mkdocs.yml +++ b/en/asgardeo/mkdocs.yml @@ -232,6 +232,7 @@ nav: - Implement login using Pushed Authorization Requests: guides/authentication/oidc/implement-login-with-par.md - JWT Secured Authorization Response Mode (JARM) for OAuth 2.0: guides/authentication/oidc/jarm.md - Implement login using the OIDC Hybrid Flow: guides/authentication/oidc/implement-oidc-hybrid-flow.md + - Implement login using the Device Code flow: guides/authentication/oidc/implement-device-flow.md - Configure token exchange: guides/authentication/configure-token-exchange.md - Validate ID tokens: guides/authentication/oidc/validate-id-tokens.md - Request user information: guides/authentication/oidc/request-user-info.md diff --git a/en/includes/guides/authentication/oidc/implement-device-flow.md b/en/includes/guides/authentication/oidc/implement-device-flow.md index 441777fb9f..dfdcb1d93c 100644 --- a/en/includes/guides/authentication/oidc/implement-device-flow.md +++ b/en/includes/guides/authentication/oidc/implement-device-flow.md @@ -5,7 +5,8 @@ See the instructions given below to implement login with OpenID Connect in your Refer [how the device authorization flow work]({{base_path}}/references/grant-types/#device-authorization-grant) for more information. ## Prerequisites - +{% if product_name == "Asgardeo" %} +{% else %} ??? note "[Optional] Update device flow configurations" The device authorization grant is available by default in WSO2 Identity Server. If you need to update configurations, navigate to `/repository/conf/deployment.toml` and update the configurations in `[oauth.grant_type.device_code]` section as required. @@ -23,6 +24,7 @@ Refer [how the device authorization flow work]({{base_path}}/references/grant-ty | `expiry_time` | The expiry time of the user code and the device code. | | `polling_interval` | The minimum delay of the client between each polling request to the token endpoint. | | `key_set` | The set of characters that is used to generate the user code. | +{% endif %} To get started, you need to have an application registered in {{ product_name }}. If you don't already have one, [register a web app with OIDC]({{base_path}}/guides/applications/register-oidc-web-app/). @@ -55,7 +57,7 @@ First, your app must initiate a login request to the authorization endpoint of { https://localhost:9443/oauth2/device_authorize ``` -Upon successful execution of the request, the WSO2 Identity Server returns the `user_code`, `devicce_code` and the `verification_uri` to the client device. +Upon successful execution of the request, the {{ product_name }} returns the `user_code`, `devicce_code` and the `verification_uri` to the client device. **Sample response** @@ -127,4 +129,4 @@ Use the following cURL to obtain an access token "token_type":"Bearer", "expires_in":3042 } -``` \ No newline at end of file +``` diff --git a/en/includes/references/grant-types.md b/en/includes/references/grant-types.md index d08e8a7d18..ebfdd5d419 100644 --- a/en/includes/references/grant-types.md +++ b/en/includes/references/grant-types.md @@ -13,6 +13,7 @@ The grant types supported by {{ product_name }} applications are as follows: - [Password grant](#password-grant) - [Token exchange grant](#token-exchange-grant) - [SAML 2.0 bearer grant](#saml-20-bearer-grant) +- [Device authorization grant](#device-authorization-grant) **{{ product_name }}'s custom grants** @@ -107,7 +108,6 @@ The following diagram shows how the password grant flow works. 6. The client application can now request user information from the resource server by providing the access token. 7. The resource server returns the requested user information to the client application. -{% if product_name == "WSO2 Identity Server" %} ## Device authorization grant Device authorization grant (Device flow) is an OAuth 2.0 extension that lets clients sign in to applications through, @@ -125,13 +125,13 @@ The diagram below illustrates the device flow. 1. The client device sends an access request including its client identifier to WSO2 Identity Server. -2. WSO2 Identity Server issues a device code, a user code, and a verification URI. +2. {{ product_name }} issues a device code, a user code, and a verification URI. 3. The client device instructs the user to access the provided URI using a secondary device (e.g., a mobile device). The client device provides the user with the user code. -4. WSO2 Identity server prompts the user to enter the end-user code and the user enters the uder code +4. {{ product_name }} prompts the user to enter the end-user code and the user enters the uder code -5. WSO2 Identity server validates the code and asks the end user to accept or decline the authorization request. +5. {{ product_name }} validates the code and asks the end user to accept or decline the authorization request. 6. While the end user reviews the authorization request, the client polls the authorization server with the device code and client identifier to check if the user has completed the authorization step. @@ -141,8 +141,6 @@ The diagram below illustrates the device flow. 9. The resource server returns the requested user information to the client application. -{% endif %} - ## Token exchange grant OAuth 2.0 token exchange is a grant type in the OAuth 2.0 framework that enables the exchange of one type of token for another. This grant type is defined in the [OAuth Token Exchange specification (RFC 8693)](https://datatracker.ietf.org/doc/html/rfc8693){:target="_blank"}