Inconsistent Error Responses in Device Flow

[shashimalcse]

Describe the issue: In the device flow, the token response is the same for multiple scenarios that should have distinct error codes according to the OAuth 2.0 Device Authorization Grant specification (RFC 8628).

Currently, the following scenarios all return the same error response:

• While waiting for the user to authenticate/authorize
• When polling too fast from the application
• When the authorization request was denied
• When the device code has expired

The current error response for all these scenarios is:

{
   "error_description": "Error occurred while retrieving subject identifier for device code: 1a29b9d9-1d86-4f71-be32-202a1a29029c",
   "error": "invalid_grant"
}

How to reproduce:

• Initiate a device flow authentication process.
• Attempt to retrieve a token in each of the following scenarios:
  • Before the user has authenticated
  • Immediately after a previous token request (to trigger rate limiting)
  • After the device code has expired

Expected behavior: According to the specification, there should be distinct error codes for different scenarios:

• authorization_pending: The authorization request is still pending.
• slow_down: The client is polling too frequently.
• expired_token: The device code has expired.
• access_denied: The user denied the request.

Environment information (Please complete the following information; remove any unnecessary fields) :

• Product Version: IS 7.0.0

---

Optional Fields

Related issues:

Suggested labels:

[DMHP]

https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/2587

[DMHP]

Manual Testing:

Success Case Request: curl -k -X POST -H 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:device_code' --data-urlencode 'client_id=bXwTdGpDuBC4kuOtecQvd_ue8Qka' --data-urlencode 'device_code=c031edad-7085-4c89-b6e0-c54a4834a2ec' https://localhost:9443/oauth2/token

Response: {"access_token":"2d859716-3fee-3f82-bd59-44fed93c6ff4","token_type":"Bearer","expires_in":3600}

When the authorization is pending Request: curl -k -X POST -H 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:device_code' --data-urlencode 'client_id=bXwTdGpDuBC4kuOtecQvd_ue8Qka' --data-urlencode 'device_code=acf10b14-b596-4cba-883f-4bb6256debbc' https://localhost:9443/oauth2/token

Response: {"error_description":"Precondition required","error":"authorization_pending"}

When the token is expired: Same request as above. Response: {"error_description":"Precondition required","error":"authorization_pending"}

When frequent requests sent before the polling interval Same request as above. Response: {"error_description":"Forbidden","error":"slow_down"}