Skip to content

Should OAuth2DeviceVerificationAuthenticationProvider check if the user code is expired? #2006

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
colin-riddell opened this issue May 13, 2025 · 1 comment
Assignees
Labels
status: duplicate A duplicate of another issue

Comments

@colin-riddell
Copy link

Hey folks!

Expected Behavior
I was wondering, should/could the device verification endpoint, specifically the OAuth2DeviceVerificationAuthenticationProvider's authenticate method reject expired user codes?

Perhaps before checking the scopes, the authorization's expiry for the device code could be checked and rejected with invalid_grant and an appropriate description

Current Behavior
When an expired user code for device auth is used on the verification endpoint, it's accepted even though it's expired. It seems it allows verification consent correctly too.

Context

Alternatives Considered:

  • I guess we could check this manually with a device authentication verification override fairly easily ( and we'll probably do that, since we need to be able to tell on first hit of the verification endpoint if the user code is expired or not.
  • I was also wondering if the OAuth2DeviceAuthorizationConsentAuthenticationProvider could handle, but suspect it might be better on that first hit of /oauth2/device_verification

Open to PR'ing this if it's suitable?

@colin-riddell colin-riddell added the type: enhancement A general enhancement label May 13, 2025
@colin-riddell
Copy link
Author

Realising this is a duplicate of #1977

Still keen to help with fix.. stuck some suggestions on @antoinelauzon-bell 's PR #1997

@jgrandja jgrandja self-assigned this May 15, 2025
@jgrandja jgrandja added status: duplicate A duplicate of another issue and removed type: enhancement A general enhancement labels May 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status: duplicate A duplicate of another issue
Projects
None yet
Development

No branches or pull requests

2 participants