fix(auth): request configured scopes in device authorization flow#231
Open
lodekeeper wants to merge 1 commit into
Open
fix(auth): request configured scopes in device authorization flow#231lodekeeper wants to merge 1 commit into
lodekeeper wants to merge 1 commit into
Conversation
requestDeviceCode only sent client_id (+ optional resource) to the device authorization endpoint, omitting the scope parameter. The configured scopes include offline_access, so dropping them meant the device (--no-browser / headless) flow never requested offline_access and the provider returned no refresh token. Without a refresh token, store.refresh() short-circuits on "no refresh token available", so headless/SSH sessions can never auto-refresh and must re-run the full device flow every time the 1h access token expires. The browser (authorization-code) flow already forwards c.cfg.Scopes via buildAuthURL; mirror that in requestDeviceCode. scope is a valid optional parameter on the device authorization request (RFC 8628 §3.1). Verified against an Authentik provider: with this change the device flow returns a refresh token and the store's auto-refresh path works, so headless logins no longer re-authenticate on every expiry. 🤖 Generated with AI assistance Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The device authorization (
--no-browser/ headless, auto-selected over SSH) login never receives a refresh token, so headless/SSH sessions must re-run the entire interactive device flow every time the ~1h access token expires.Root cause:
requestDeviceCodebuilds the device authorization request with onlyclient_id(+ optionalresource) and omits thescopeparameter:The default scopes set in
Newincludeoffline_access:…but since the device flow never forwards them,
offline_accessis never requested and the provider returns an access-token-only response. The browser (authorization-code) flow is unaffected —buildAuthURLalready forwardsc.cfg.Scopes.Downstream impact:
store.refresh()bails out without a refresh token:So the
storeauto-refresh path can never run for headless logins — every expiry forces a fresh interactive device flow.Fix
Forward the configured scopes in the device authorization request, mirroring
buildAuthURL:scopeis a valid (optional) parameter on the device authorization request per RFC 8628 §3.1.Verification
TestRequestDeviceCodeRequestsOfflineAccessScope(mirrors the existingTestBuildAuthURLOmitsResourceWhenEmpty). It fails without the fix (scopeempty) and passes with it.storeauto-refresh path then keeps the session alive without re-running the device flow.go test ./pkg/auth/client/... ./pkg/auth/store/...passes;gofmtclean.🤖 Generated with AI assistance