device code has been expired, but the error was "authorization_pending"

[limng06]

curl --location --request POST 'http://identity.nuzar.com/oauth2/token'
--header 'User-Agent: Apifox/1.0.0 (https://www.apifox.cn)'
--header 'Authorization: Basic NzhhZWQwZmQzNGQxNDJlNjg5YjQwOTYzOWNmNDYyMjA6TnV6YXIxMjM0NTZf'
--header 'Accept: /'
--header 'Host: identity.nuzar.com'
--header 'Connection: keep-alive'
--header 'Content-Type: application/x-www-form-urlencoded'
--header 'Cookie: SESSION=MThhMWQ2ZmYtYjIxYS00YmFiLTlmMDEtNjQzY2VjZGU0Mjhh'
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:device_code'
--data-urlencode 'device_code=sRN6Nk_1uuuHpitZJP63pf6NgADAviPG8nS1FbAsl6bknfNnj6F2HrDRprS5lU-PMF7FR-6ECLBOn5oO_SMaDpa3FbK45OW_3VXfX8mSRb_ptVDUWUjh1dS7PlGgjnKo'

response:
{
"error": "authorization_pending",
"error_uri": "https://datatracker.ietf.org/doc/html/rfc8628#section-3.5"
}

the device code has been expired , but the response present " authorization_pending" always.
it should be "expired_token"

if (!userCode.isInvalidated()) {
	OAuth2Error error = new OAuth2Error(AUTHORIZATION_PENDING, null, DEVICE_ERROR_URI);
	throw new OAuth2AuthenticationException(error);
}

//   slow_down
//      A variant of "authorization_pending", the authorization request is
//      still pending and polling should continue, but the interval MUST
//      be increased by 5 seconds for this and all subsequent requests.
//	NOTE: This error is not handled in the framework.

//   access_denied
//      The authorization request was denied.
if (deviceCode.isInvalidated()) {
	OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.ACCESS_DENIED, null, DEVICE_ERROR_URI);
	throw new OAuth2AuthenticationException(error);
}

//   expired_token
//      The "device_code" has expired, and the device authorization
//      session has concluded.  The client MAY commence a new device
//      authorization request but SHOULD wait for user interaction before
//      restarting to avoid unnecessary polling.
if (deviceCode.isExpired()) {
	// Invalidate the device code
	authorization = OAuth2AuthenticationProviderUtils.invalidate(authorization, deviceCode.getToken());
	this.authorizationService.save(authorization);
	if (this.logger.isWarnEnabled()) {
		this.logger.warn(LogMessage.format(
				"Invalidated device code used by registered client '%s'", authorization.getRegisteredClientId()));
	}
	OAuth2Error error = new OAuth2Error(EXPIRED_TOKEN, null, DEVICE_ERROR_URI);
	throw new OAuth2AuthenticationException(error);
}

[jgrandja]

@limng06 Please see the test authenticateWhenDeviceCodeIsExpiredThenThrowOAuth2AuthenticationException() as it demonstrates that expired_token is returned when the device code is expired.

Please provide a similar test that reproduces the issue you are having where authorization_pending is returned when the device code is expired. You can copy authenticateWhenDeviceCodeIsExpiredThenThrowOAuth2AuthenticationException() as an initial template and adjust based on your use case.

[spring-projects-issues]

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

[spring-projects-issues]

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.