[Enhancement] Implement OAuth2 Device Code Flow #4
Description
Requires: #2
We currently support standard OAuth2 authorization flows, but not the Device Code Flow. I honestly don't know if we need this. I can see it being useful for clients on devices with limited input like CLI tools that authenticate users securely without needing to handle redirects or browsers.
Proposed Change
The Device Code Flow allows a device (or app without a browser) to obtain user authorization by:
- Requesting a
device_codeanduser_codefrom the auth service. - Showing the user a verification URI and prompting them to enter the
user_code. - Polling the token endpoint until the user authorizes the request (or the code expires).
This flow is described in RFC 8628.
Proposed Endpoints
| Endpoint | Method | Description |
|---|---|---|
/v1/oauth2/device/code |
POST | Generates a new device and user code pair. Request requires client_id and scopes |
/v1/oauth2/device/verify |
POST | User authorization and consent. Request requires user to be authenticated and provide user_code |
/device |
GET | User Verification Page to enter a code, requires user to be authenticated. |
Implementation Notes
- Add
device_codeanduser_codesupport to the database schema with an expiry. - Store issued codes with expiry times and client associations.
- The verification page should integrate with existing login/session logic, and once the user approves, mark the device code as authorized.
- Enforce polling rate limits using the
intervalparameter. - Token issuance should mirror existing flows, generating
access_tokenandrefresh_tokenpairs. - Add SDK helpers for CLI or embedded device clients to simplify usage.
- Extend end-to-end tests to cover the full flow (authorization, polling, and token issuance).