device-authorization-grant.md
· 8.4 KiB · Markdown
Raw
Based on
[KeyCloak's Design Document](https://github.com/keycloak/keycloak-community/blob/main/design/oauth2-device-authorization-grant.md)
```
$ curl -s "https://id.tilde.green/realms/tgci/.well-known/openid-configuration" |jq '.'
```
```
{
"issuer": "https://id.tilde.green/realms/tgci",
"authorization_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/auth",
"token_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/token",
"introspection_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/token/introspect",
"userinfo_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/userinfo",
"end_session_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/logout",
"frontchannel_logout_session_supported": true,
"frontchannel_logout_supported": true,
"jwks_uri": "https://id.tilde.green/realms/tgci/protocol/openid-connect/certs",
"check_session_iframe": "https://id.tilde.green/realms/tgci/protocol/openid-connect/login-status-iframe.html",
"grant_types_supported": [
"authorization_code",
"implicit",
"refresh_token",
"password",
"client_credentials",
"urn:openid:params:grant-type:ciba",
"urn:ietf:params:oauth:grant-type:device_code"
],
"acr_values_supported": [
"0",
"1"
],
"response_types_supported": [
"code",
"none",
"id_token",
"token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"subject_types_supported": [
"public",
"pairwise"
],
"id_token_signing_alg_values_supported": [
"PS384",
"RS384",
"EdDSA",
"ES384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"id_token_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA-OAEP-256",
"RSA1_5"
],
"id_token_encryption_enc_values_supported": [
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"userinfo_signing_alg_values_supported": [
"PS384",
"RS384",
"EdDSA",
"ES384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"userinfo_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA-OAEP-256",
"RSA1_5"
],
"userinfo_encryption_enc_values_supported": [
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"request_object_signing_alg_values_supported": [
"PS384",
"RS384",
"EdDSA",
"ES384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"request_object_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA-OAEP-256",
"RSA1_5"
],
"request_object_encryption_enc_values_supported": [
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"response_modes_supported": [
"query",
"fragment",
"form_post",
"query.jwt",
"fragment.jwt",
"form_post.jwt",
"jwt"
],
"registration_endpoint": "https://id.tilde.green/realms/tgci/clients-registrations/openid-connect",
"token_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"tls_client_auth",
"client_secret_jwt"
],
"token_endpoint_auth_signing_alg_values_supported": [
"PS384",
"RS384",
"EdDSA",
"ES384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"introspection_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"tls_client_auth",
"client_secret_jwt"
],
"introspection_endpoint_auth_signing_alg_values_supported": [
"PS384",
"RS384",
"EdDSA",
"ES384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"authorization_signing_alg_values_supported": [
"PS384",
"RS384",
"EdDSA",
"ES384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"authorization_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA-OAEP-256",
"RSA1_5"
],
"authorization_encryption_enc_values_supported": [
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"claims_supported": [
"aud",
"sub",
"iss",
"auth_time",
"name",
"given_name",
"family_name",
"preferred_username",
"email",
"acr"
],
"claim_types_supported": [
"normal"
],
"claims_parameter_supported": true,
"scopes_supported": [
"openid",
"address",
"groups",
"roles",
"acr",
"web-origins",
"microprofile-jwt",
"profile",
"email",
"offline_access",
"phone",
"basic"
],
"request_parameter_supported": true,
"request_uri_parameter_supported": true,
"require_request_uri_registration": true,
"code_challenge_methods_supported": [
"plain",
"S256"
],
"tls_client_certificate_bound_access_tokens": true,
"revocation_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/revoke",
"revocation_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"tls_client_auth",
"client_secret_jwt"
],
"revocation_endpoint_auth_signing_alg_values_supported": [
"PS384",
"RS384",
"EdDSA",
"ES384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"backchannel_logout_supported": true,
"backchannel_logout_session_supported": true,
"device_authorization_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/auth/device",
"backchannel_token_delivery_modes_supported": [
"poll",
"ping"
],
"backchannel_authentication_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/ext/ciba/auth",
"backchannel_authentication_request_signing_alg_values_supported": [
"PS384",
"RS384",
"EdDSA",
"ES384",
"ES256",
"RS256",
"ES512",
"PS256",
"PS512",
"RS512"
],
"require_pushed_authorization_requests": false,
"pushed_authorization_request_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/ext/par/request",
"mtls_endpoint_aliases": {
"token_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/token",
"revocation_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/revoke",
"introspection_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/token/introspect",
"device_authorization_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/auth/device",
"registration_endpoint": "https://id.tilde.green/realms/tgci/clients-registrations/openid-connect",
"userinfo_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/userinfo",
"pushed_authorization_request_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/ext/par/request",
"backchannel_authentication_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/ext/ciba/auth"
},
"authorization_response_iss_parameter_supported": true
}
```
If the URLs that I've used don't work, request the openid-configuration
endpoint, and take the URLs manually.
```
$ curl -s -X POST \
-d "client_id=longlivedToken" \
"https://id.tilde.green/realms/tgci/protocol/openid-connect/auth/device" | jq '.'
```
```
{
"device_code": "<device_code>",
"user_code": "<usercode>",
"verification_uri": "https://id.tilde.green/realms/tgci/device",
"verification_uri_complete": "https://id.tilde.green/realms/tgci/device?user_code=<usercode>",
"expires_in": 600,
"interval": 5
}
```
```
$ curl -s -X POST \
-d "grant_type=urn:ietf:params:oauth:grant-type:device_code" \
-d "client_id=longlivedToken" \
-d "device_code=<device_code>" \
"https://id.tilde.green/realms/tgci/protocol/openid-connect/token" | jq '.'
```
```
{
"access_token": "YOUR_ACCESS_TOKEN",
"expires_in": 473039798,
"refresh_expires_in": 0,
"token_type": "Bearer",
"not-before-policy": 0,
"session_state": "UUID",
"scope": "profile"
}
```
Based on KeyCloak's Design Document
$ curl -s "https://id.tilde.green/realms/tgci/.well-known/openid-configuration" |jq '.'
{
"issuer": "https://id.tilde.green/realms/tgci",
"authorization_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/auth",
"token_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/token",
"introspection_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/token/introspect",
"userinfo_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/userinfo",
"end_session_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/logout",
"frontchannel_logout_session_supported": true,
"frontchannel_logout_supported": true,
"jwks_uri": "https://id.tilde.green/realms/tgci/protocol/openid-connect/certs",
"check_session_iframe": "https://id.tilde.green/realms/tgci/protocol/openid-connect/login-status-iframe.html",
"grant_types_supported": [
"authorization_code",
"implicit",
"refresh_token",
"password",
"client_credentials",
"urn:openid:params:grant-type:ciba",
"urn:ietf:params:oauth:grant-type:device_code"
],
"acr_values_supported": [
"0",
"1"
],
"response_types_supported": [
"code",
"none",
"id_token",
"token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"subject_types_supported": [
"public",
"pairwise"
],
"id_token_signing_alg_values_supported": [
"PS384",
"RS384",
"EdDSA",
"ES384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"id_token_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA-OAEP-256",
"RSA1_5"
],
"id_token_encryption_enc_values_supported": [
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"userinfo_signing_alg_values_supported": [
"PS384",
"RS384",
"EdDSA",
"ES384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"userinfo_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA-OAEP-256",
"RSA1_5"
],
"userinfo_encryption_enc_values_supported": [
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"request_object_signing_alg_values_supported": [
"PS384",
"RS384",
"EdDSA",
"ES384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"request_object_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA-OAEP-256",
"RSA1_5"
],
"request_object_encryption_enc_values_supported": [
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"response_modes_supported": [
"query",
"fragment",
"form_post",
"query.jwt",
"fragment.jwt",
"form_post.jwt",
"jwt"
],
"registration_endpoint": "https://id.tilde.green/realms/tgci/clients-registrations/openid-connect",
"token_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"tls_client_auth",
"client_secret_jwt"
],
"token_endpoint_auth_signing_alg_values_supported": [
"PS384",
"RS384",
"EdDSA",
"ES384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"introspection_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"tls_client_auth",
"client_secret_jwt"
],
"introspection_endpoint_auth_signing_alg_values_supported": [
"PS384",
"RS384",
"EdDSA",
"ES384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"authorization_signing_alg_values_supported": [
"PS384",
"RS384",
"EdDSA",
"ES384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"authorization_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA-OAEP-256",
"RSA1_5"
],
"authorization_encryption_enc_values_supported": [
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"claims_supported": [
"aud",
"sub",
"iss",
"auth_time",
"name",
"given_name",
"family_name",
"preferred_username",
"email",
"acr"
],
"claim_types_supported": [
"normal"
],
"claims_parameter_supported": true,
"scopes_supported": [
"openid",
"address",
"groups",
"roles",
"acr",
"web-origins",
"microprofile-jwt",
"profile",
"email",
"offline_access",
"phone",
"basic"
],
"request_parameter_supported": true,
"request_uri_parameter_supported": true,
"require_request_uri_registration": true,
"code_challenge_methods_supported": [
"plain",
"S256"
],
"tls_client_certificate_bound_access_tokens": true,
"revocation_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/revoke",
"revocation_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"tls_client_auth",
"client_secret_jwt"
],
"revocation_endpoint_auth_signing_alg_values_supported": [
"PS384",
"RS384",
"EdDSA",
"ES384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"backchannel_logout_supported": true,
"backchannel_logout_session_supported": true,
"device_authorization_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/auth/device",
"backchannel_token_delivery_modes_supported": [
"poll",
"ping"
],
"backchannel_authentication_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/ext/ciba/auth",
"backchannel_authentication_request_signing_alg_values_supported": [
"PS384",
"RS384",
"EdDSA",
"ES384",
"ES256",
"RS256",
"ES512",
"PS256",
"PS512",
"RS512"
],
"require_pushed_authorization_requests": false,
"pushed_authorization_request_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/ext/par/request",
"mtls_endpoint_aliases": {
"token_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/token",
"revocation_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/revoke",
"introspection_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/token/introspect",
"device_authorization_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/auth/device",
"registration_endpoint": "https://id.tilde.green/realms/tgci/clients-registrations/openid-connect",
"userinfo_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/userinfo",
"pushed_authorization_request_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/ext/par/request",
"backchannel_authentication_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/ext/ciba/auth"
},
"authorization_response_iss_parameter_supported": true
}
If the URLs that I've used don't work, request the openid-configuration endpoint, and take the URLs manually.
$ curl -s -X POST \
-d "client_id=longlivedToken" \
"https://id.tilde.green/realms/tgci/protocol/openid-connect/auth/device" | jq '.'
{
"device_code": "<device_code>",
"user_code": "<usercode>",
"verification_uri": "https://id.tilde.green/realms/tgci/device",
"verification_uri_complete": "https://id.tilde.green/realms/tgci/device?user_code=<usercode>",
"expires_in": 600,
"interval": 5
}
$ curl -s -X POST \
-d "grant_type=urn:ietf:params:oauth:grant-type:device_code" \
-d "client_id=longlivedToken" \
-d "device_code=<device_code>" \
"https://id.tilde.green/realms/tgci/protocol/openid-connect/token" | jq '.'
{
"access_token": "YOUR_ACCESS_TOKEN",
"expires_in": 473039798,
"refresh_expires_in": 0,
"token_type": "Bearer",
"not-before-policy": 0,
"session_state": "UUID",
"scope": "profile"
}