libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

KEYCLOAK-7675 Support for Device Authorization Grant

Browse source
This commit is contained in:
Michito Okai 2021-03-12 17:23:58 +09:00 committed by Marek Posolda
parent cdc50fb328
commit 68dcd06748
3 changed files with 34 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
securing_apps/topics/oidc/oidc-generic.adoc
View file

@ -94,6 +94,15 @@ The token revocation endpoint is used to revoke tokens. Both refresh tokens and
For more details on how to invoke on this endpoint, see https://tools.ietf.org/html/rfc7009[OAuth 2.0 Token Revocation specification].
===== Device Authorization Endpoint
....
/realms/{realm-name}/protocol/openid-connect/auth/device
....
The device authorization endpoint is used to obtain a device code and a user code. It can only be invoked by confidential clients.
For more details on how to invoke on this endpoint, see https://tools.ietf.org/html/rfc8628[OAuth 2.0 Device Authorization Grant specification].
==== Validating Access Tokens
If you need to manually validate access tokens issued by {project_name} you can invoke the <<_token_introspection_endpoint,Introspection Endpoint>>.
@ -180,6 +189,17 @@ This flow is not included in OpenID Connect, but is a part of the OAuth 2.0 spec
For more details refer to the https://tools.ietf.org/html/rfc6749#section-4.4[Client Credentials Grant] chapter in the OAuth 2.0 specification.
===== Device Authorization Grant
Device Authorization Grant is used by clients running on internet-connected devices that have limited input capabilities or lack a suitable browser.
The application requests {project_name} a device code and a user code. {project_name} creates a device code and a user code.
{project_name} returns a response including the device code and the user code to the application.
Then the application provides the user with the user code and the verification URI. The user accesses a verification URI to be authenticated by using another browser.
The application repeatedly polls {project_name} until {project_name} completes the user authorization.
If user authentication is complete, the application obtains the device code. Then the application uses the device code along with its credentials to obtain an Access Token, Refresh Token and ID Token from {project_name}.
For more details refer to the https://tools.ietf.org/html/rfc8628[OAuth 2.0 Device Authorization Grant specification].
==== Redirect URIs
When using the redirect based flows it's important to use valid redirect uris for your clients. The redirect uris should be as specific as possible. This

4
server_admin/topics/clients/client-oidc.adoc
View file

@ -79,6 +79,10 @@ If this is on, clients are allowed to use the OIDC <<_oidc-auth-flows,Implicit F
If this is on, clients are allowed to use the OIDC <<_oidc-auth-flows,Direct Access Grants>>.
*OAuth 2.0 Device Authorization Grant Enabled*
If this is on, clients are allowed to use the OIDC <<_oidc-auth-flows,Device Authorization Grant>>.
*Root URL*
If {project_name} uses any configured relative URLs, this value is prepended to them.

10
server_admin/topics/sso-protocols/oidc.adoc
View file

@ -89,6 +89,14 @@ This is also used by REST clients, but instead of obtaining a token that works o
of an external user, a token is created based on the metadata and permissions of a service account that is associated with the client.
More info together with example is in <<_service_accounts,Service Accounts>> chapter.
===== Device Authorization Grant
This is used by clients running on internet-connected devices that have limited input capabilities or lack a suitable browser. Here's a brief summary of the protocol:
. The application requests {project_name} a device code and a user code. {project_name} creates a device code and a user code. {project_name} returns a response including the device code and the user code to the application.
. The application provides the user with the user code and the verification URI. The user accesses a verification URI to be authenticated by using another browser.
. The application repeatedly polls {project_name} to find out if the user completed the user authorization. If user authentication is complete, the application exchanges the device code for an _identity_, _access_ and _refresh_ token.
[[_oidc-endpoints]]
==== {project_name} Server OIDC URI Endpoints
@ -111,5 +119,7 @@ You can also find these endpoints under "OpenID Endpoint Configuration" in your
This is the URL endpoint for OAuth 2.0 Token Revocation described in https://tools.ietf.org/html/rfc7009[RFC7009].
/realms/{realm-name}/protocol/openid-connect/certs::
This is the URL endpoint for the JSON Web Key Set (JWKS) containing the public keys used to verify any JSON Web Token (jwks_uri)
/realms/{realm-name}/protocol/openid-connect/auth/device::
This is the URL endpoint for Device Authorization Grant to obtain a device code and a user code.
In all of these replace _{realm-name}_ with the name of the realm.