Like 0
Fork 0

Last active 1725703885

Julian Marcos revised this gist 1725703879. Go to revision

1 file changed, 350 insertions

device-authorization-grant.md(file created)

@@ -0,0 +1,350 @@
1 + Based on
2 + [KeyCloak's Design Document](https://github.com/keycloak/keycloak-community/blob/main/design/oauth2-device-authorization-grant.md)
3 +
4 + ```
5 + $ curl -s "https://id.tilde.green/realms/tgci/.well-known/openid-configuration" |jq '.'
6 + ```
7 +
8 + ```
9 + {
10 + "issuer": "https://id.tilde.green/realms/tgci",
11 + "authorization_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/auth",
12 + "token_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/token",
13 + "introspection_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/token/introspect",
14 + "userinfo_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/userinfo",
15 + "end_session_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/logout",
16 + "frontchannel_logout_session_supported": true,
17 + "frontchannel_logout_supported": true,
18 + "jwks_uri": "https://id.tilde.green/realms/tgci/protocol/openid-connect/certs",
19 + "check_session_iframe": "https://id.tilde.green/realms/tgci/protocol/openid-connect/login-status-iframe.html",
20 + "grant_types_supported": [
21 + "authorization_code",
22 + "implicit",
23 + "refresh_token",
24 + "password",
25 + "client_credentials",
26 + "urn:openid:params:grant-type:ciba",
27 + "urn:ietf:params:oauth:grant-type:device_code"
28 + ],
29 + "acr_values_supported": [
30 + "0",
31 + "1"
32 + ],
33 + "response_types_supported": [
34 + "code",
35 + "none",
36 + "id_token",
37 + "token",
38 + "id_token token",
39 + "code id_token",
40 + "code token",
41 + "code id_token token"
42 + ],
43 + "subject_types_supported": [
44 + "public",
45 + "pairwise"
46 + ],
47 + "id_token_signing_alg_values_supported": [
48 + "PS384",
49 + "RS384",
50 + "EdDSA",
51 + "ES384",
52 + "HS256",
53 + "HS512",
54 + "ES256",
55 + "RS256",
56 + "HS384",
57 + "ES512",
58 + "PS256",
59 + "PS512",
60 + "RS512"
61 + ],
62 + "id_token_encryption_alg_values_supported": [
63 + "RSA-OAEP",
64 + "RSA-OAEP-256",
65 + "RSA1_5"
66 + ],
67 + "id_token_encryption_enc_values_supported": [
68 + "A256GCM",
69 + "A192GCM",
70 + "A128GCM",
71 + "A128CBC-HS256",
72 + "A192CBC-HS384",
73 + "A256CBC-HS512"
74 + ],
75 + "userinfo_signing_alg_values_supported": [
76 + "PS384",
77 + "RS384",
78 + "EdDSA",
79 + "ES384",
80 + "HS256",
81 + "HS512",
82 + "ES256",
83 + "RS256",
84 + "HS384",
85 + "ES512",
86 + "PS256",
87 + "PS512",
88 + "RS512",
89 + "none"
90 + ],
91 + "userinfo_encryption_alg_values_supported": [
92 + "RSA-OAEP",
93 + "RSA-OAEP-256",
94 + "RSA1_5"
95 + ],
96 + "userinfo_encryption_enc_values_supported": [
97 + "A256GCM",
98 + "A192GCM",
99 + "A128GCM",
100 + "A128CBC-HS256",
101 + "A192CBC-HS384",
102 + "A256CBC-HS512"
103 + ],
104 + "request_object_signing_alg_values_supported": [
105 + "PS384",
106 + "RS384",
107 + "EdDSA",
108 + "ES384",
109 + "HS256",
110 + "HS512",
111 + "ES256",
112 + "RS256",
113 + "HS384",
114 + "ES512",
115 + "PS256",
116 + "PS512",
117 + "RS512",
118 + "none"
119 + ],
120 + "request_object_encryption_alg_values_supported": [
121 + "RSA-OAEP",
122 + "RSA-OAEP-256",
123 + "RSA1_5"
124 + ],
125 + "request_object_encryption_enc_values_supported": [
126 + "A256GCM",
127 + "A192GCM",
128 + "A128GCM",
129 + "A128CBC-HS256",
130 + "A192CBC-HS384",
131 + "A256CBC-HS512"
132 + ],
133 + "response_modes_supported": [
134 + "query",
135 + "fragment",
136 + "form_post",
137 + "query.jwt",
138 + "fragment.jwt",
139 + "form_post.jwt",
140 + "jwt"
141 + ],
142 + "registration_endpoint": "https://id.tilde.green/realms/tgci/clients-registrations/openid-connect",
143 + "token_endpoint_auth_methods_supported": [
144 + "private_key_jwt",
145 + "client_secret_basic",
146 + "client_secret_post",
147 + "tls_client_auth",
148 + "client_secret_jwt"
149 + ],
150 + "token_endpoint_auth_signing_alg_values_supported": [
151 + "PS384",
152 + "RS384",
153 + "EdDSA",
154 + "ES384",
155 + "HS256",
156 + "HS512",
157 + "ES256",
158 + "RS256",
159 + "HS384",
160 + "ES512",
161 + "PS256",
162 + "PS512",
163 + "RS512"
164 + ],
165 + "introspection_endpoint_auth_methods_supported": [
166 + "private_key_jwt",
167 + "client_secret_basic",
168 + "client_secret_post",
169 + "tls_client_auth",
170 + "client_secret_jwt"
171 + ],
172 + "introspection_endpoint_auth_signing_alg_values_supported": [
173 + "PS384",
174 + "RS384",
175 + "EdDSA",
176 + "ES384",
177 + "HS256",
178 + "HS512",
179 + "ES256",
180 + "RS256",
181 + "HS384",
182 + "ES512",
183 + "PS256",
184 + "PS512",
185 + "RS512"
186 + ],
187 + "authorization_signing_alg_values_supported": [
188 + "PS384",
189 + "RS384",
190 + "EdDSA",
191 + "ES384",
192 + "HS256",
193 + "HS512",
194 + "ES256",
195 + "RS256",
196 + "HS384",
197 + "ES512",
198 + "PS256",
199 + "PS512",
200 + "RS512"
201 + ],
202 + "authorization_encryption_alg_values_supported": [
203 + "RSA-OAEP",
204 + "RSA-OAEP-256",
205 + "RSA1_5"
206 + ],
207 + "authorization_encryption_enc_values_supported": [
208 + "A256GCM",
209 + "A192GCM",
210 + "A128GCM",
211 + "A128CBC-HS256",
212 + "A192CBC-HS384",
213 + "A256CBC-HS512"
214 + ],
215 + "claims_supported": [
216 + "aud",
217 + "sub",
218 + "iss",
219 + "auth_time",
220 + "name",
221 + "given_name",
222 + "family_name",
223 + "preferred_username",
224 + "email",
225 + "acr"
226 + ],
227 + "claim_types_supported": [
228 + "normal"
229 + ],
230 + "claims_parameter_supported": true,
231 + "scopes_supported": [
232 + "openid",
233 + "address",
234 + "groups",
235 + "roles",
236 + "acr",
237 + "web-origins",
238 + "microprofile-jwt",
239 + "profile",
240 + "email",
241 + "offline_access",
242 + "phone",
243 + "basic"
244 + ],
245 + "request_parameter_supported": true,
246 + "request_uri_parameter_supported": true,
247 + "require_request_uri_registration": true,
248 + "code_challenge_methods_supported": [
249 + "plain",
250 + "S256"
251 + ],
252 + "tls_client_certificate_bound_access_tokens": true,
253 + "revocation_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/revoke",
254 + "revocation_endpoint_auth_methods_supported": [
255 + "private_key_jwt",
256 + "client_secret_basic",
257 + "client_secret_post",
258 + "tls_client_auth",
259 + "client_secret_jwt"
260 + ],
261 + "revocation_endpoint_auth_signing_alg_values_supported": [
262 + "PS384",
263 + "RS384",
264 + "EdDSA",
265 + "ES384",
266 + "HS256",
267 + "HS512",
268 + "ES256",
269 + "RS256",
270 + "HS384",
271 + "ES512",
272 + "PS256",
273 + "PS512",
274 + "RS512"
275 + ],
276 + "backchannel_logout_supported": true,
277 + "backchannel_logout_session_supported": true,
278 + "device_authorization_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/auth/device",
279 + "backchannel_token_delivery_modes_supported": [
280 + "poll",
281 + "ping"
282 + ],
283 + "backchannel_authentication_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/ext/ciba/auth",
284 + "backchannel_authentication_request_signing_alg_values_supported": [
285 + "PS384",
286 + "RS384",
287 + "EdDSA",
288 + "ES384",
289 + "ES256",
290 + "RS256",
291 + "ES512",
292 + "PS256",
293 + "PS512",
294 + "RS512"
295 + ],
296 + "require_pushed_authorization_requests": false,
297 + "pushed_authorization_request_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/ext/par/request",
298 + "mtls_endpoint_aliases": {
299 + "token_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/token",
300 + "revocation_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/revoke",
301 + "introspection_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/token/introspect",
302 + "device_authorization_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/auth/device",
303 + "registration_endpoint": "https://id.tilde.green/realms/tgci/clients-registrations/openid-connect",
304 + "userinfo_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/userinfo",
305 + "pushed_authorization_request_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/ext/par/request",
306 + "backchannel_authentication_endpoint": "https://id.tilde.green/realms/tgci/protocol/openid-connect/ext/ciba/auth"
307 + },
308 + "authorization_response_iss_parameter_supported": true
309 + }
310 + ```
311 +
312 + If the URLs that I've used don't work, request the openid-configuration
313 + endpoint, and take the URLs manually.
314 +
315 + ```
316 + $ curl -s -X POST \
317 + -d "client_id=longlivedToken" \
318 + "https://id.tilde.green/realms/tgci/protocol/openid-connect/auth/device" | jq '.'
319 + ```
320 +
321 + ```
322 + {
323 + "device_code": "<device_code>",
324 + "user_code": "<usercode>",
325 + "verification_uri": "https://id.tilde.green/realms/tgci/device",
326 + "verification_uri_complete": "https://id.tilde.green/realms/tgci/device?user_code=<usercode>",
327 + "expires_in": 600,
328 + "interval": 5
329 + }
330 + ```
331 +
332 + ```
333 + $ curl -s -X POST \
334 + -d "grant_type=urn:ietf:params:oauth:grant-type:device_code" \
335 + -d "client_id=longlivedToken" \
336 + -d "device_code=<device_code>" \
337 + "https://id.tilde.green/realms/tgci/protocol/openid-connect/token" | jq '.'
338 + ```
339 +
340 + ```
341 + {
342 + "access_token": "YOUR_ACCESS_TOKEN",
343 + "expires_in": 473039798,
344 + "refresh_expires_in": 0,
345 + "token_type": "Bearer",
346 + "not-before-policy": 0,
347 + "session_state": "UUID",
348 + "scope": "profile"
349 + }
350 + ```
Newer Older

Powered by Opengist Load: 17ms

English