[13.x] Device Authorization Grant RFC8628 (#1750)

* add device code grant

* formatting

* wip

* wip

* wip

* wip

* wip

* wip

* wip

* wip

* wip

* wip

* wip

* fix controllers

* formatting

* add tests

* formatting

* revert unrelated changes

* revert irrelevant changes

* add device option on client command

* formatting

* formatting

* formatting

* add more tests

* formatting

* remove result view

* formatting

* formatting

* formatting

* formatting

* add more tests

* formatting

* force re-run tests

* resolve stateful guard

* add more tests

* simplify

* fix tests

* formatting

* add interval

* fix tests

* simplify

* formatting

* add more tests

* revert changes on interval

* revert changes on interval

* formatting

* add a test

* formatting

* Update ClientCommand.php

* formatting

---------

Co-authored-by: Taylor Otwell <[email protected]>

Author: hafezdivandari

database/factories/ClientFactory.php

@@ -91,4 +91,15 @@ public function asClientCredentials(): static
             'redirect_uris' => [],
         ]);
     }
+
+    /**
+     * Use as a Device Code client.
+     */
+    public function asDeviceCodeClient(): static
+    {
+        return $this->state([
+            'grant_types' => ['urn:ietf:params:oauth:grant-type:device_code', 'refresh_token'],
+            'redirect_uris' => [],
+        ]);
+    }
 }

database/migrations/2024_06_01_000001_create_oauth_device_codes_table.php

@@ -0,0 +1,42 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    /**
+     * Run the migrations.
+     */
+    public function up(): void
+    {
+        Schema::create('oauth_device_codes', function (Blueprint $table) {
+            $table->char('id', 80)->primary();
+            $table->foreignId('user_id')->nullable()->index();
+            $table->foreignUuid('client_id')->index();
+            $table->char('user_code', 8)->unique();
+            $table->text('scopes');
+            $table->boolean('revoked');
+            $table->dateTime('user_approved_at')->nullable();
+            $table->dateTime('last_polled_at')->nullable();
+            $table->dateTime('expires_at')->nullable();
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     */
+    public function down(): void
+    {
+        Schema::dropIfExists('oauth_device_codes');
+    }
+
+    /**
+     * Get the migration connection name.
+     */
+    public function getConnection(): ?string
+    {
+        return $this->connection ?? config('passport.connection');
+    }
+};

routes/web.php

@@ -15,6 +15,18 @@
     'middleware' => 'web',
 ]);
 
+Route::get('/device', [
+    'uses' => 'DeviceUserCodeController',
+    'as' => 'device',
+    'middleware' => 'web',
+]);
+
+Route::post('/device/code', [
+    'uses' => 'DeviceCodeController',
+    'as' => 'device.code',
+    'middleware' => 'throttle',
+]);
+
 $guard = config('passport.guard', null);
 
 Route::middleware(['web', $guard ? 'auth:'.$guard : 'auth'])->group(function () {
@@ -33,6 +45,21 @@
         'as' => 'authorizations.deny',
     ]);
 
+    Route::get('/device/authorize', [
+        'uses' => 'DeviceAuthorizationController',
+        'as' => 'device.authorizations.authorize',
+    ]);
+
+    Route::post('/device/authorize', [
+        'uses' => 'ApproveDeviceAuthorizationController',
+        'as' => 'device.authorizations.approve',
+    ]);
+
+    Route::delete('/device/authorize', [
+        'uses' => 'DenyDeviceAuthorizationController',
+        'as' => 'device.authorizations.deny',
+    ]);
+
     if (Passport::$registersJsonApiRoutes) {
         Route::get('/tokens', [
             'uses' => 'AuthorizedAccessTokenController@forUser',

src/Bridge/Client.php

@@ -18,15 +18,18 @@ class Client implements ClientEntityInterface
      */
     public function __construct(
         string $identifier,
-        string $name,
-        array $redirectUri,
+        ?string $name = null,
+        array $redirectUri = [],
         bool $isConfidential = false,
         public ?string $provider = null,
         public array $grantTypes = [],
     ) {
         $this->setIdentifier($identifier);
 
-        $this->name = $name;
+        if (! is_null($name)) {
+            $this->name = $name;
+        }
+
         $this->isConfidential = $isConfidential;
         $this->redirectUri = $redirectUri;
     }

src/Bridge/DeviceCode.php

@@ -0,0 +1,60 @@
+<?php
+
+namespace Laravel\Passport\Bridge;
+
+use DateTimeImmutable;
+use League\OAuth2\Server\Entities\DeviceCodeEntityInterface;
+use League\OAuth2\Server\Entities\Traits\DeviceCodeTrait;
+use League\OAuth2\Server\Entities\Traits\EntityTrait;
+use League\OAuth2\Server\Entities\Traits\TokenEntityTrait;
+
+class DeviceCode implements DeviceCodeEntityInterface
+{
+    use EntityTrait, DeviceCodeTrait, TokenEntityTrait;
+
+    /**
+     * Create a new device code instance.
+     *
+     * @param  non-empty-string|null  $identifier
+     * @param  non-empty-string|null  $userIdentifier
+     * @param  non-empty-string|null  $clientIdentifier
+     * @param  string[]  $scopes
+     */
+    public function __construct(
+        ?string $identifier = null,
+        ?string $userIdentifier = null,
+        ?string $clientIdentifier = null,
+        array $scopes = [],
+        bool $userApproved = false,
+        ?DateTimeImmutable $lastPolledAt = null,
+        ?DateTimeImmutable $expiryDateTime = null
+    ) {
+        if (! is_null($identifier)) {
+            $this->setIdentifier($identifier);
+        }
+
+        if (! is_null($userIdentifier)) {
+            $this->setUserIdentifier($userIdentifier);
+        }
+
+        if (! is_null($clientIdentifier)) {
+            $this->setClient(new Client($clientIdentifier));
+        }
+
+        foreach ($scopes as $scope) {
+            $this->addScope(new Scope($scope));
+        }
+
+        if ($userApproved) {
+            $this->setUserApproved($userApproved);
+        }
+
+        if (! is_null($lastPolledAt)) {
+            $this->setLastPolledAt($lastPolledAt);
+        }
+
+        if (! is_null($expiryDateTime)) {
+            $this->setExpiryDateTime($expiryDateTime);
+        }
+    }
+}

src/Bridge/DeviceCodeRepository.php

@@ -0,0 +1,106 @@
+<?php
+
+namespace Laravel\Passport\Bridge;
+
+use Illuminate\Support\Facades\Date;
+use Laravel\Passport\DeviceCode as DeviceCodeModel;
+use Laravel\Passport\Passport;
+use League\OAuth2\Server\Entities\DeviceCodeEntityInterface;
+use League\OAuth2\Server\Repositories\DeviceCodeRepositoryInterface;
+
+class DeviceCodeRepository implements DeviceCodeRepositoryInterface
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function getNewDeviceCode(): DeviceCodeEntityInterface
+    {
+        return new DeviceCode;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function persistDeviceCode(DeviceCodeEntityInterface $deviceCodeEntity): void
+    {
+        if (! is_null($deviceCodeEntity->getUserIdentifier())) {
+            Passport::deviceCode()->newQuery()->whereKey($deviceCodeEntity->getIdentifier())->update([
+                'user_id' => $deviceCodeEntity->getUserIdentifier(),
+                'user_approved_at' => $deviceCodeEntity->getUserApproved() ? Date::now() : null,
+            ]);
+        } elseif (! is_null($deviceCodeEntity->getLastPolledAt())) {
+            Passport::deviceCode()->newQuery()->whereKey($deviceCodeEntity->getIdentifier())->update([
+                'last_polled_at' => $deviceCodeEntity->getLastPolledAt(),
+            ]);
+        } else {
+            Passport::deviceCode()->forceFill([
+                'id' => $deviceCodeEntity->getIdentifier(),
+                'user_id' => null,
+                'client_id' => $deviceCodeEntity->getClient()->getIdentifier(),
+                'user_code' => $deviceCodeEntity->getUserCode(),
+                'scopes' => $deviceCodeEntity->getScopes(),
+                'revoked' => false,
+                'user_approved_at' => null,
+                'last_polled_at' => null,
+                'expires_at' => $deviceCodeEntity->getExpiryDateTime(),
+            ])->save();
+        }
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getDeviceCodeEntityByDeviceCode(string $deviceCode): ?DeviceCodeEntityInterface
+    {
+        $record = Passport::deviceCode()->newQuery()->whereKey($deviceCode)->where(['revoked' => false])->first();
+
+        return $record ? $this->fromDeviceCodeModel($record) : null;
+    }
+
+    /*
+     * Get the device code entity by the given user code.
+     */
+    public function getDeviceCodeEntityByUserCode(string $userCode): ?DeviceCodeEntityInterface
+    {
+        $record = Passport::deviceCode()->newQuery()
+            ->where('user_code', $userCode)
+            ->whereNull('user_id')
+            ->where('expires_at', '>', Date::now())
+            ->where('revoked', false)
+            ->first();
+
+        return $record ? $this->fromDeviceCodeModel($record) : null;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function revokeDeviceCode(string $codeId): void
+    {
+        Passport::deviceCode()->newQuery()->whereKey($codeId)->update(['revoked' => true]);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function isDeviceCodeRevoked(string $codeId): bool
+    {
+        return Passport::deviceCode()->newQuery()->whereKey($codeId)->where('revoked', false)->doesntExist();
+    }
+
+    /**
+     * Create a new device code entity from the given device code model instance.
+     */
+    protected function fromDeviceCodeModel(DeviceCodeModel $model): DeviceCodeEntityInterface
+    {
+        return new DeviceCode(
+            $model->getKey(),
+            $model->user_id,
+            $model->client_id,
+            $model->scopes,
+            ! is_null($model->user_approved_at),
+            $model->last_polled_at?->toDateTimeImmutable(),
+            $model->expires_at?->toDateTimeImmutable()
+        );
+    }
+}

src/ClientRepository.php

@@ -152,6 +152,21 @@ public function createImplicitGrantClient(string $name, array $redirectUris): Cl
         return $this->create($name, ['implicit'], $redirectUris, null, false);
     }
 
+    /**
+     * Store a new device authorization grant client.
+     *
+     * @param  \Laravel\Passport\HasApiTokens|null  $user
+     */
+    public function createDeviceAuthorizationGrantClient(
+        string $name,
+        bool $confidential = true,
+        ?Authenticatable $user = null
+    ): Client {
+        return $this->create(
+            $name, ['urn:ietf:params:oauth:grant-type:device_code', 'refresh_token'], [], null, $confidential, $user
+        );
+    }
+
     /**
      * Store a new authorization code grant client.
      *
@@ -161,11 +176,16 @@ public function createAuthorizationCodeGrantClient(
         string $name,
         array $redirectUris,
         bool $confidential = true,
-        ?Authenticatable $user = null
+        ?Authenticatable $user = null,
+        bool $enableDeviceFlow = false
     ): Client {
-        return $this->create(
-            $name, ['authorization_code', 'refresh_token'], $redirectUris, null, $confidential, $user
-        );
+        $grantTypes = ['authorization_code', 'refresh_token'];
+
+        if ($enableDeviceFlow) {
+            $grantTypes[] = 'urn:ietf:params:oauth:grant-type:device_code';
+        }
+
+        return $this->create($name, $grantTypes, $redirectUris, null, $confidential, $user);
     }
 
     /**

src/Console/ClientCommand.php

@@ -20,6 +20,7 @@ class ClientCommand extends Command
             {--password : Create a password grant client}
             {--client : Create a client credentials grant client}
             {--implicit : Create an implicit grant client}
+            {--device : Create a device authorization grant client}
             {--name= : The name of the client}
             {--provider= : The name of the user provider}
             {--redirect_uri= : The URI to redirect to after authorization }
@@ -49,6 +50,7 @@ public function handle(ClientRepository $clients): void
             $this->option('password') => $this->createPasswordClient($clients),
             $this->option('client') => $this->createClientCredentialsClient($clients),
             $this->option('implicit') => $this->createImplicitClient($clients),
+            $this->option('device') => $this->createDeviceCodeClient($clients),
             default => $this->createAuthCodeClient($clients)
         };
 
@@ -119,6 +121,18 @@ protected function createImplicitClient(ClientRepository $clients): Client
         return $clients->createImplicitGrantClient($this->option('name'), explode(',', $redirect));
     }
 
+    /**
+     * Create a device code client.
+     */
+    protected function createDeviceCodeClient(ClientRepository $clients): Client
+    {
+        $confidential = $this->hasOption('public')
+            ? ! $this->option('public')
+            : $this->confirm('Would you like to make this client confidential?', true);
+
+        return $clients->createDeviceAuthorizationGrantClient($this->option('name'), $confidential);
+    }
+
     /**
      * Create an authorization code client.
      */
@@ -133,8 +147,10 @@ protected function createAuthCodeClient(ClientRepository $clients): Client
             ? ! $this->option('public')
             : $this->confirm('Would you like to make this client confidential?', true);
 
+        $enableDeviceFlow = $this->confirm('Would you like to enable the device authorization flow for this client?');
+
         return $clients->createAuthorizationCodeGrantClient(
-            $this->option('name'), explode(',', $redirect), $confidential,
+            $this->option('name'), explode(',', $redirect), $confidential, null, $enableDeviceFlow
         );
     }
 }

src/Console/PurgeCommand.php

@@ -46,6 +46,7 @@ public function handle(): void
         Passport::token()->newQuery()->where($constraint)->delete();
         Passport::authCode()->newQuery()->where($constraint)->delete();
         Passport::refreshToken()->newQuery()->where($constraint)->delete();
+        Passport::deviceCode()->newQuery()->where($constraint)->delete();
 
         $this->components->info(sprintf('Purged %s.', implode(' and ', array_filter([
             $revoked ? 'revoked items' : null,

src/Contracts/ApprovedDeviceAuthorizationResponse.php

@@ -0,0 +1,10 @@
+<?php
+
+namespace Laravel\Passport\Contracts;
+
+use Illuminate\Contracts\Support\Responsable;
+
+interface ApprovedDeviceAuthorizationResponse extends Responsable
+{
+    //
+}