From 8699d7239d4a20c986c1412a68cd3790ffe8fdc3 Mon Sep 17 00:00:00 2001
From: Bart Geesink <bart.geesink@surf.nl>
Date: Mon, 14 Oct 2024 19:22:36 +0200
Subject: [PATCH] OIDCNG: Make the device flow configurable

---
 roles/oidcng/defaults/main.yml                      | 2 ++
 roles/oidcng/templates/application.yml.j2           | 2 ++
 roles/oidcng/templates/openid-configuration.json.j2 | 8 ++++++--
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/roles/oidcng/defaults/main.yml b/roles/oidcng/defaults/main.yml
index 23d6def24..cc444fba4 100644
--- a/roles/oidcng/defaults/main.yml
+++ b/roles/oidcng/defaults/main.yml
@@ -9,6 +9,7 @@ oidcng_idp_metadata_url: https://engine.{{ base_domain }}/authentication/idp/met
 oidcng_base_hostname: connect.{{ base_domain }}
 oidcng_logback_email: true
 oidcng_logback_json: true
+oidcng_device_flow: false
 oidcng_idp_sso_location: https://engine.{{ base_domain }}/authentication/idp/single-sign-on
 oidcng_manage_provision_samlsp_client_id: "https://connect.{{ base_domain }}"
 oidcng_manage_provision_samlsp_name_en: "{{ instance_name }} OIDC Gateway"
@@ -18,3 +19,4 @@ oidcng_manage_provision_samlsp_metadata_url: "https://connect.{{ base_domain }}/
 oidcng_manage_provision_samlsp_sp_cert: "{{ lookup('file', '{{ inventory_dir }}/files/certs/oidc/oidcsaml.crt') | depem }}"
 oidcng_manage_provision_samlsp_sign: "True"
 oidcng_manage_provision_samlsp_trusted_proxy: "True"
+
diff --git a/roles/oidcng/templates/application.yml.j2 b/roles/oidcng/templates/application.yml.j2
index 74ddfc11f..03bba7150 100644
--- a/roles/oidcng/templates/application.yml.j2
+++ b/roles/oidcng/templates/application.yml.j2
@@ -50,7 +50,9 @@ certificate_path: file://{{ oidcng_config_dir }}/oidcsaml.crt
 default_acr_value: {{ oidcng.default_acr_value }}
 secure_cookie: true
 oidc_token_endpoint: https://connect.{{ base_domain }}/oidc/token
+{% if oidcng_device_flow | bool %}
 device_verification_url: https://connect.{{ base_domain }}/oidc/verify
+{% endif %}
 environment: {{ oidcng.environment }}
 
 features:
diff --git a/roles/oidcng/templates/openid-configuration.json.j2 b/roles/oidcng/templates/openid-configuration.json.j2
index 874b0c6af..5356d4873 100644
--- a/roles/oidcng/templates/openid-configuration.json.j2
+++ b/roles/oidcng/templates/openid-configuration.json.j2
@@ -5,7 +5,9 @@
   "userinfo_endpoint": "https://{{ oidcng_base_hostname }}/oidc/userinfo",
   "introspect_endpoint": "https://{{ oidcng_base_hostname }}/oidc/introspect",
   "jwks_uri": "https://{{ oidcng_base_hostname }}/oidc/certs",
+{% if oidcng_device_flow | bool %}
   "device_authorization_endpoint": "https://{{ oidcng_base_hostname }}/oidc/device_authorization",
+{% endif %}
   "response_types_supported": [
     "code",
     "token",
@@ -24,8 +26,10 @@
     "authorization_code",
     "implicit",
     "refresh_token",
-    "client_credentials",
-    "urn:ietf:params:oauth:grant-type:device_code"
+{% if oidcng_device_flow | bool %}
+    "urn:ietf:params:oauth:grant-type:device_code",
+{% endif %}
+    "client_credentials"
   ],
   "subject_types_supported": [
     "public",