From d6237a8a6ed69c8f447646c53dca92d353c83562 Mon Sep 17 00:00:00 2001
From: Doug Goldstein <cardoe@cardoe.com>
Date: Tue, 1 Jul 2025 20:00:01 -0500
Subject: [PATCH] fix: device code should not require scope

As per RFC8628 section 3.1, https://datatracker.ietf.org/doc/html/rfc8628#section-3.1
the scope is optional. Since dex always requires at least 'openid',
default the value to comply with the RFC.

Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
---
 server/deviceflowhandlers.go      | 6 ++++++
 server/deviceflowhandlers_test.go | 8 ++++++++
 2 files changed, 14 insertions(+)

diff --git a/server/deviceflowhandlers.go b/server/deviceflowhandlers.go
index 380e40aa..c2660ff9 100644
--- a/server/deviceflowhandlers.go
+++ b/server/deviceflowhandlers.go
@@ -85,6 +85,12 @@ func (s *Server) handleDeviceCode(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 
+		if len(scopes) == 0 {
+			// per RFC8628 section 3.1, https://datatracker.ietf.org/doc/html/rfc8628#section-3.1
+			// scope is optional but dex requires that it is always at least 'openid' so default it
+			scopes = []string{"openid"}
+		}
+
 		s.logger.InfoContext(r.Context(), "received device request", "client_id", clientID, "scoped", scopes)
 
 		// Make device code
diff --git a/server/deviceflowhandlers_test.go b/server/deviceflowhandlers_test.go
index 151c7508..59d81631 100644
--- a/server/deviceflowhandlers_test.go
+++ b/server/deviceflowhandlers_test.go
@@ -90,6 +90,14 @@ func TestHandleDeviceCode(t *testing.T) {
 			expectedResponseCode: http.StatusBadRequest,
 			expectedContentType:  "application/json",
 		},
+		{
+			testName:             "New Code without scope",
+			clientID:             "test",
+			requestType:          "POST",
+			scopes:               []string{},
+			expectedResponseCode: http.StatusOK,
+			expectedContentType:  "application/json",
+		},
 	}
 	for _, tc := range tests {
 		t.Run(tc.testName, func(t *testing.T) {