User Code expiration is not considered

[antoinelauzon-bell]

Hi,

Describe the bug

OAuth2DeviceVerificationAuthenticationProvider only gets the provided user code but does not check its expiration. It means that a user can input an expired user code and still "complete" the flow on its second device. The flow would later fail on the /oauth2/token call because the device code is expired.

To Reproduce

Use the "DemoAuthorizationServerApplication" sample.

Before starting the sample, reduce the device/user code duration (to not wait too long):

.tokenSettings(TokenSettings.builder().deviceCodeTimeToLive(Duration.ofSeconds(30)).build())

Start a device code flow with some scope(s). For example, use the request below to start the flow:

POST http://localhost:9000/oauth2/device_authorization
scope=message.read&client_id=device-messaging-client

Wait for the expiration (30s) before continuing the flow on the second device (i.e. entering http://localhost:9000/activate?user_code=X in a browser).

The browser shows that the flow "correctly" completed. But once the tokens are requested (token endpoint), it return the error "expired_token". It seems to me that the error happens too late. The user should be blocked on its second device because the user code is expired.

Expected behavior

An error should occur on the second device if the user code is expired.

I can provide additional details, just let me know.

Thank you

[jgrandja]

@antoinelauzon-bell Thank you for logging this issue. I agree that the user code should be checked for expiry (or if invalidated) in OAuth2DeviceVerificationAuthenticationProvider. Would you be interested in submitting a fix?