DrDaveD
commented
3 years ago Note that I have a vault-plugins-auth-jwt pull request that implements this for that plugin.
Closed impl closed 3 years ago
DrDaveD
commented
3 years ago Note that I have a vault-plugins-auth-jwt pull request that implements this for that plugin.
impl
commented
3 years ago Nice! That will be very helpful as a reference at a minimum. Thanks!
Use Case
It would be nice if our CLI applications didn't have to worry about the mechanics of any OAuth 2.0 flow and could simply receive a session identifier like any other web client.
Describe the Solution You Would Like
The device authorization grant type is specified by RFC 8628. Unlike the client credentials grant type, it is substantially similar to the authorization code exchange grant type. The response will contain a refresh token and access token. Our
credsendpoints already support the two other common types,authorization_codeandrefresh_token, implicitly. Therefore, I propose that we make the grant type an explicit parameter on this endpoint and support the following types:grant_type=authorization_code(current default behavior)grant_type=refresh_token(current behavior ifrefresh_tokenis specified, would be implicit in this case)grant_type=urn:ietf:params:oauth:grant-type:device_code(new type)For
grant_type=urn:ietf:params:oauth:grant-type:device_code, we perform the following:device_codeis not specified, we request a new device code. The provider must be able to provide a device authorization endpoint (similar to the auth code URL). The write operation will return the verification URL and code for the end user to follow. This gives us a device code so we can now proceed regardless.Additional Context