Device Access Token Response with expired device code returns "authorization_pending" and not "expired_token" #1885
Description
If you make a valid Device Access Token Request and do not grant/deny consent from the provided verification_uri_complete, then all polls of the token endpoint will indefinitely return authorization_pending.
If you have a client which will continue polling while receiving authorization_pending (rather than using expires_in), then the client will poll forever.
The reason for this is that authorization_pending is always returned if the user code is not invalidated (Line 150), irrespective of the age of the device code.
The only operation that will invalidate the user code is either granting/denying consent from the device verification consent page.
I believe that the check for the device code expiring (Line 173) should be moved before the check for user code invalidation.
The test authenticateWhenDeviceCodeIsExpiredThenThrowOAuth2AuthenticationException only passes because the user code is created in an invalidated state.
The following update to the test demonstrates the failure.
@Test
public void authenticateWhenDeviceCodeIsExpiredThenThrowOAuth2AuthenticationException() {
RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
Authentication authentication = createAuthentication(registeredClient);
OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(registeredClient)
.token(createExpiredDeviceCode())
- .token(createUserCode(), withInvalidated())
+ .token(createUserCode())
.build();
given(this.authorizationService.findByToken(anyString(), any(OAuth2TokenType.class))).willReturn(authorization);
// @formatter:off
assertThatExceptionOfType(OAuth2AuthenticationException.class)
.isThrownBy(() -> this.authenticationProvider.authenticate(authentication))
.extracting(OAuth2AuthenticationException::getError)This was previously raised in #1556, but that issue was closed as the feedback requested was not provided.