Device flow POC

[nsklikas]

POC for Hydra device flow.

To test:

• Bring up the rest of the components with:

  docker-compose -f docker-compose.dev.yml up --build --force-recreate

• Register a client in Hydra that can:

  hydra create client \
  --endpoint http://127.0.0.1:4445 \
  --name noauth \
  --grant-type urn:ietf:params:oauth:grant-type:device_code \
  --scope openid,offline \
  --token-endpoint-auth-method none

• You can use the client found in https://github.com/canonical/hydra-rock/tree/IAM-597 (only config needed is OAUTH_CLIENT_ID="<client_id>", where is taken from the previous step)
• Run the login UI with the usual config

Note

• [ ] I couldn't find a way to fetch info about the client so that we can ask for the user to authorize that specific device.

[nsklikas]

To run hydra you need to:

• Pull this branch(device-flow-poc)
• Pull the hydra config changes from https://github.com/canonical/hydra/commit/0f451f0a30a22d8e475c505948c4e06b72188783
• Build the hydra container by running:

  make docker

  This is needed to run the postgres migrations. If you don't want to do that you need to comment out the migration job in the docker compose and run the migrations manually using the hydra CLI.

• Run kratos, postgres and migrations using the docker compose in the identity-platform-login-ui:

  docker-compose -f docker-compose.dev.yml  up --build --force-recreate

• Run login-ui:

  export KRATOS_PUBLIC_URL="http://localhost:4433"
  export HYDRA_ADMIN_URL="http://localhost:4445"
  export BASE_URL="http://localhost:4455"
  export PORT="4455"
  export TRACING_ENABLED="false"
  export LOG_LEVEL="debug"
  export AUTHORIZATION_ENABLED="false"
  # Run this from the root of the repo
  go run . serve

• Run hydra:

  export DSN="postgres://hydra:secret@localhost:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4"
  # Run this from the root of the repo
  go run . serve  -c ./contrib/quickstart/5-min/hydra.yml all  --dev

To test the flow run:

code_client=$(hydra create client \
  --endpoint http://localhost:4445 \
  --grant-type authorization_code,refresh_token,urn:ietf:params:oauth:grant-type:device_code \
  --response-type code \
  --format json \
  --scope openid,offline_access,email,profile \
  --redirect-uri http://127.0.0.1:4446/callback \
  --audience app_client \
)
curl -X POST localhost:4444/oauth2/device/auth \
  -d "scope=openid email" \
  -d client_id=`echo "$code_client" | yq .client_id` \
  -u `echo "$code_client" | yq .client_id`:`echo "$code_client" | yq .client_secret`

You can test the token endpoint by running:

curl -X POST localhost:4444/oauth2/token \
  -u "`echo "$code_client" | yq .client_id`:`echo "$code_client" | yq .client_secret`" \
  -d "grant_type=urn:ietf:params:oauth:grant-type:device_code" \
  -d device_code=<device_code>