fix: device code should not require scope

As per RFC8628 section 3.1, https://datatracker.ietf.org/doc/html/rfc8628#section-3.1 the scope is optional. Since dex always requires at least 'openid', default the value to comply with the RFC. Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
9 months ago · d6237a8a6e
2 changed files with 14 additions and 0 deletions
--- a/server/deviceflowhandlers.go
+++ b/server/deviceflowhandlers.go
@ -85,6 +85,12 @@ func (s *Server) handleDeviceCode(w http.ResponseWriter, r *http.Request) {
 			return
 		}

+		if len(scopes) == 0 {
+			// per RFC8628 section 3.1, https://datatracker.ietf.org/doc/html/rfc8628#section-3.1
+			// scope is optional but dex requires that it is always at least 'openid' so default it
+			scopes = []string{"openid"}
+		}
+
 		s.logger.InfoContext(r.Context(), "received device request", "client_id", clientID, "scoped", scopes)

 		// Make device code
--- a/server/deviceflowhandlers_test.go
+++ b/server/deviceflowhandlers_test.go
@ -90,6 +90,14 @@ func TestHandleDeviceCode(t *testing.T) {
 			expectedResponseCode: http.StatusBadRequest,
 			expectedContentType:  "application/json",
 		},
+		{
+			testName:             "New Code without scope",
+			clientID:             "test",
+			requestType:          "POST",
+			scopes:               []string{},
+			expectedResponseCode: http.StatusOK,
+			expectedContentType:  "application/json",
+		},
 	}
 	for _, tc := range tests {
 		t.Run(tc.testName, func(t *testing.T) {