search

tapis-project / authenticator

BSD 3-Clause "New" or "Revised" License
1 stars 3 forks source link

Support device flow grant type with (optional) long-lived tokens #6

Closed joestubbs closed 2 years ago

joestubbs commented 2 years ago

We should be able to also support a device flow for CLIs and other “headless” Tapis client apps (e.g., a Jupyter notebook). Note that we could even add support for this in place of the password grant type for tenants who use an LDAP IdP. The advantage is that the client application would not come in contact with the user’s password.

At a high level, the device flow consists of the following steps:

  1. Tapis client app requests device and user verification codes from the Tapis authorization server, and the Tapis authorization server responds with the authorization URL where the user will enter the user verification code. This is a POST request to a specific URL (/v3/oauth2/device/code) that includes the client ID. The full response includes: a. device_code: a one-time use code attached to the client ID. Used for polling to retrieve the user token (step 5). b. user_code: the code the user enters into the web app (step 4). c. verification_uri: the Tapis URL the user should use to enter the user_code (step 4). d. expires_in: seconds when the device and user code expire.

  2. The Tapis client app prompts the user to enter a user verification code at the URL returned from step 1. The user opens a browser and points to that URL.

  3. At that Tapis URL, the first step is to authenticate the user (if they don't already have a session). This could be via a login page in the case of LDAP or Tapis could walk steps 2,3 and 4 in the case of an OAuth2 backing IdP.

  4. Once the user is authenticated, Tapis authorization server prompts the user to enter the user code from step 1.

  5. Meanwhile, the Tapis client app polls Tapis for the user authentication status and token. It does this by making a POST /v3/oauth2/token, passing in the client id and the device_code (from step 1). Once the user has authenticated, entered the user code, and (optionally) authorized the device, Tapis will respond with an access token.

For more information, see the device flow spec or read about the github implementation.

joestubbs commented 2 years ago

In addition to the tenant config allowing device flow as a grant type, the tenant could also choose to allow the device flow to generate long lived tokens (for instance, tokens lasting months or even years). To offer this, we should also probably implement the token revocation issue.

joestubbs commented 2 years ago

released in 1.2.0