jmjl / gist:aea99b3445194b04b992fe4c5b6800d7

Based on [KeyCloak's Design Document](https://github.com/keycloak/keycloak-community/blob/main/design/oauth2-device-authorization-grant.md) ``` $ curl -s "https://id.tilde.green/realms/tgci/.well-known/openid-configuration" |jq '.' ``` ``` { "issuer": "https://id.tilde.green/realms/tgci", "authorization_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/auth", "token_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/token", "introspection_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/token/introspect", "userinfo_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/userinfo", "end_session_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/logout", "frontchannel_logout_session_supported": true, "frontchannel_logout_supported": true, "jwks_uri": "https://id.tilde.green/realms/tgci/protocol/openid-connect/certs", "check_session_iframe": "https://id.tilde.green/realms/tgci/protocol/openid-connect/login-status-iframe.html", "grant_types_supported": [ "authorization_code", "implicit", "refresh_token", "password", "client_credentials", "urn:openid:params:grant-type:ciba", "urn:ietf:params:oauth:grant-type:device_code" ], "acr_values_supported": [ "0", "1" ], "response_types_supported": [ "code", "none", "id_token", "token", "id_token token", "code id_token", "code token", "code id_token token" ], "subject_types_supported": [ "public", "pairwise" ], "id_token_signing_alg_values_supported": [ "PS384", "RS384", "EdDSA", "ES384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512" ], "id_token_encryption_alg_values_supported": [ "RSA-OAEP", "RSA-OAEP-256", "RSA1_5" ], "id_token_encryption_enc_values_supported": [ "A256GCM", "A192GCM", "A128GCM", "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512" ], "userinfo_signing_alg_values_supported": [ "PS384", "RS384", "EdDSA", "ES384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512", "none" ], "userinfo_encryption_alg_values_supported": [ "RSA-OAEP", "RSA-OAEP-256", "RSA1_5" ], "userinfo_encryption_enc_values_supported": [ "A256GCM", "A192GCM", "A128GCM", "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512" ], "request_object_signing_alg_values_supported": [ "PS384", "RS384", "EdDSA", "ES384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512", "none" ], "request_object_encryption_alg_values_supported": [ "RSA-OAEP", "RSA-OAEP-256", "RSA1_5" ], "request_object_encryption_enc_values_supported": [ "A256GCM", "A192GCM", "A128GCM", "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512" ], "response_modes_supported": [ "query", "fragment", "form_post", "query.jwt", "fragment.jwt", "form_post.jwt", "jwt" ], "registration_endpoint": "https://id.tilde.green/realms/tgci/clients-registrations/openid-connect", "token_endpoint_auth_methods_supported": [ "private_key_jwt", "client_secret_basic", "client_secret_post", "tls_client_auth", "client_secret_jwt" ], "token_endpoint_auth_signing_alg_values_supported": [ "PS384", "RS384", "EdDSA", "ES384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512" ], "introspection_endpoint_auth_methods_supported": [ "private_key_jwt", "client_secret_basic", "client_secret_post", "tls_client_auth", "client_secret_jwt" ], "introspection_endpoint_auth_signing_alg_values_supported": [ "PS384", "RS384", "EdDSA", "ES384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512" ], "authorization_signing_alg_values_supported": [ "PS384", "RS384", "EdDSA", "ES384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512" ], "authorization_encryption_alg_values_supported": [ "RSA-OAEP", "RSA-OAEP-256", "RSA1_5" ], "authorization_encryption_enc_values_supported": [ "A256GCM", "A192GCM", "A128GCM", "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512" ], "claims_supported": [ "aud", "sub", "iss", "auth_time", "name", "given_name", "family_name", "preferred_username", "email", "acr" ], "claim_types_supported": [ "normal" ], "claims_parameter_supported": true, "scopes_supported": [ "openid", "address", "groups", "roles", "acr", "web-origins", "microprofile-jwt", "profile", "email", "offline_access", "phone", "basic" ], "request_parameter_supported": true, "request_uri_parameter_supported": true, "require_request_uri_registration": true, "code_challenge_methods_supported": [ "plain", "S256" ], "tls_client_certificate_bound_access_tokens": true, "revocation_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/revoke", "revocation_endpoint_auth_methods_supported": [ "private_key_jwt", "client_secret_basic", "client_secret_post", "tls_client_auth", "client_secret_jwt" ], "revocation_endpoint_auth_signing_alg_values_supported": [ "PS384", "RS384", "EdDSA", "ES384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512" ], "backchannel_logout_supported": true, "backchannel_logout_session_supported": true, "device_authorization_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/auth/device", "backchannel_token_delivery_modes_supported": [ "poll", "ping" ], "backchannel_authentication_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/ext/ciba/auth", "backchannel_authentication_request_signing_alg_values_supported": [ "PS384", "RS384", "EdDSA", "ES384", "ES256", "RS256", "ES512", "PS256", "PS512", "RS512" ], "require_pushed_authorization_requests": false, "pushed_authorization_request_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/ext/par/request", "mtls_endpoint_aliases": { "token_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/token", "revocation_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/revoke", "introspection_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/token/introspect", "device_authorization_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/auth/device", "registration_endpoint": "https://id.tilde.green/realms/tgci/clients-registrations/openid-connect", "userinfo_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/userinfo", "pushed_authorization_request_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/ext/par/request", "backchannel_authentication_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/ext/ciba/auth" }, "authorization_response_iss_parameter_supported": true } ``` If the URLs that I've used don't work, request the openid-configuration endpoint, and take the URLs manually. ``` $ curl -s -X POST \ -d "client_id=longlivedToken" \ "https://id.tilde.green/realms/tgci/protocol/openid-connect/auth/device" | jq '.' ``` ``` { "device_code": "<device_code>", "user_code": "<usercode>", "verification_uri": "https://id.tilde.green/realms/tgci/device", "verification_uri_complete": "https://id.tilde.green/realms/tgci/device?user_code=<usercode>", "expires_in": 600, "interval": 5 } ``` ``` $ curl -s -X POST \ -d "grant_type=urn:ietf:params:oauth:grant-type:device_code" \ -d "client_id=longlivedToken" \ -d "device_code=<device_code>" \ "https://id.tilde.green/realms/tgci/protocol/openid-connect/token" | jq '.' ``` ``` { "access_token": "YOUR_ACCESS_TOKEN", "expires_in": 473039798, "refresh_expires_in": 0, "token_type": "Bearer", "not-before-policy": 0, "session_state": "UUID", "scope": "profile" } ```