feat: implement OAuth 2.0 Device Authorization Grant (RFC 8628)#42
Merged
Merged
Conversation
dce3118 to
5a304b0
Compare
Implements the OAuth 2.0 Device Authorization Grant flow according to RFC 8628 for devices with limited input capabilities or lack of web browser access. Key features: - Device authorization endpoint (`/oauth/device_authorization`) - Device code token endpoint integration - User device verification flow with HTML templates - Internal device authorization client management - Support for both SQLite and PostgreSQL storage backends - Comprehensive test coverage for device flow scenarios Additional improvements: - Enhanced OAuth client registration with application metadata - SQLX offline mode support for both database backends - OAuth scope validation and configuration - Client management API enhancements - Integration with existing private_key_jwt authentication support
5a304b0 to
69c80cf
Compare
ngerakines
approved these changes
Sep 13, 2025
bigmoves
added a commit
to bigmoves/aip
that referenced
this pull request
Sep 18, 2025
…e-social#42) Implements the OAuth 2.0 Device Authorization Grant flow according to RFC 8628 for devices with limited input capabilities or lack of web browser access. Key features: - Device authorization endpoint (`/oauth/device_authorization`) - Device code token endpoint integration - User device verification flow with HTML templates - Internal device authorization client management - Support for both SQLite and PostgreSQL storage backends - Comprehensive test coverage for device flow scenarios Additional improvements: - Enhanced OAuth client registration with application metadata - SQLX offline mode support for both database backends - OAuth scope validation and configuration - Client management API enhancements - Integration with existing private_key_jwt authentication support
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
OAuth 2.0 Device Authorization Grant Implementation (RFC 8628)
Summary
Implements the OAuth 2.0 Device Authorization Grant flow, allowing CLI tools and other devices without web browsers to authenticate users and obtain ATProtocol sessions.
How the Flow Works
Step 1: Device Authorization Request
CLI tool requests device authorization:
Response:
{ "device_code": "device_a1b2c3d4e5f6", "user_code": "WXYZ-1234", "verification_uri": "https://aip.example.com/device", "expires_in": 1800, "interval": 5 }Step 2: User Authorization
CLI displays to user:
User visits the URL, enters code, and completes ATProtocol OAuth authentication.
Step 3: Device Token Polling
While user is authorizing, CLI polls every 5 seconds:
Before authorization:
{"error": "authorization_pending"}After authorization:
{ "access_token": "aip_at_xyz789...", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "aip_rt_abc123...", "scope": "atproto:atproto" }Step 4: Access ATProtocol Session
CLI uses access token to get session data:
Response:
{ "did": "did:plc:user123...", "handle": "user.bsky.social", "access_token": "atp_session_token...", "pds_endpoint": "https://bsky.social", }Key Changes
New Endpoints
POST /oauth/device- Device authorization requestsGET /device- User verification pagePOST /oauth/token- Added device_code grant typeDatabase Changes
device_codestable for tracking authorization stateCore Files Modified
src/oauth/auth_server.rs- Added device code grant handlingsrc/oauth/clients/registration.rs- Enhanced for native appssrc/storage/traits.rs- New DeviceCodeStore traitsrc/http/handler_*.rs- New device endpointsExample Application
examples/device-flow-cli/Client Registration for Device Flow
Device clients register differently than web apps:
{ "client_name": "Device Flow CLI Example", "grant_types": ["urn:ietf:params:oauth:grant-type:device_code", "refresh_token"], "response_types": ["device_code"], "token_endpoint_auth_method": "none", "application_type": "native" }Key differences: no
redirect_uris, public client (noneauth), device-specific grant types.Security Features
Testing
Run the example:
cd examples/device-flow-cli ./register-client.sh cargo runBackward Compatibility
✅ No breaking changes - purely additive feature that doesn't affect existing OAuth flows.
New Screens