Create an approved site when using device code flow #821
Conversation
federicaagostini
force-pushed
the
issue-595
branch
from
256a43a to
9ade9b1
Compare
| @@ -257,6 +261,10 @@ public String approveDevice(@RequestParam("user_code") String userCode, | |||
|
|
|||
| model.put("approved", true); | |||
|
|
|||
| Date timeout = null; | |||
| approvedSiteService.createApprovedSite(client.getClientId(), auth.getName(), timeout, | |||
There was a problem hiding this comment.
The problem here is the case where there is a scope policy. Since it is evaluated after this step, in the approved sites we will see also the filtered scope - and in fact we see it on the consent page and actually approve it, even though it is then removed from the scope policy filter in the access token.
In general, this mitre code needs to be improved later, but as a start I think it might be fine like this!
There was a problem hiding this comment.
The problem here is the case where there is a scope policy. Since it is evaluated after this step, in the approved sites we will see also the filtered scope - and in fact we see it on the consent page and actually approve it, even though it is then removed from the scope policy filter in the access token. In general, this mitre code needs to be improved later, but as a start I think it might be fine like this!
Scope policy filter added before the device consent page!
since it was always prompting to the consent page, even when already approved. Looks like the check if "authorizationRequest.isApproved()" is necessary
for both authorization and device code flows
|
|
From Gabriel Zachmann: the client should only be linked to the user account if it currently is not linked to any user or at least not for public clients. |
...ervice/src/test/java/it/infn/mw/iam/test/oauth/scope/pdp/ScopePolicyFilteringDeviceCode.java
Outdated
Show resolved
Hide resolved
|
The device code flow did not imply the creation of an approved site when the user give the consent to the client, as the authorization code flow does.
This PR adds an approved site using the same logic as the authorization code flow. Moreover, the scope policy filter has been added here for both the authorization code flow and device code flow.
This required to move (and cleanup) MitreID classes related to the device code flow into IAM.