Add Predicate for authorizationConsentRequired for device code grant #2048
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
spring-projects-issues
added
the
status: waiting-for-triage
dineshgupta630
force-pushed
the
gh-1965-device-consent
branch
from
1bfbd37 to
9f0dfc6
Compare
Previously, device consent handling did not provide a dedicated context for device verification authentication flows. This commit introduces OAuth2DeviceVerificationAuthenticationContext and updates related providers and tests to enhance device authorization and consent flows. Fixes spring-projectsgh-1965 Signed-off-by: Dinesh Gupta <[email protected]> Add Predicate for authorizationConsentRequired for device code grant Introduce a customizable Predicate to determine whether user authorization consent is required in the Device Code grant flow. This enhancement allows applications to define custom logic for skipping or displaying the consent page, enabling greater flexibility to handle cases where user code confirmation and scope approval may be decoupled. The default behavior is preserved, but can be overridden by calling OAuth2DeviceVerificationAuthenticationProvider#setAuthorizationConsentRequired(Predicate). Closes: spring-projectsgh-1965 Signed-off-by: Dinesh Gupta <[email protected]> Add Predicate for authorizationConsentRequired for device code grant This commit introduces a Predicate extension point for determining if user consent is required during the OAuth 2.0 Device Authorization Grant (device code flow). - Adds OAuth2DeviceVerificationAuthenticationContext to provide context to the Predicate - Updates OAuth2DeviceVerificationAuthenticationProvider to support a custom Predicate via setAuthorizationConsentRequired - Refactors default consent logic to use the Predicate - Updates and adds tests for custom Predicate behavior Closes spring-projectsgh-1965 Signed-off-by: Dinesh Gupta <[email protected]> Refactor DeviceVerification context to align with code grant context Refactored OAuth2DeviceVerificationAuthenticationContext to use a map-based structure consistent with OAuth2AuthorizationCodeRequestAuthenticationContext. Aligned method signatures, builder pattern, and attribute handling for consistency and extensibility. Updated OAuth2DeviceVerificationAuthenticationProvider to use the revised context and normalize requested scopes. Closes spring-projectsgh-1965-device-consent Authored-by: Dinesh Gupta <[email protected]> Align device verification consent logic with code grant context Refactored OAuth2DeviceVerificationAuthenticationProvider and its tests to ensure the device verification consent logic and structure are consistent with the authorization code flow. Improved test consistency, predicate usage, and aligned context handling for maintainability. Closes spring-projectsgh-1965-device-consent Authored-by: Dinesh Gupta <[email protected]> Clarify Javadoc for device consent predicate Closes spring-projectsgh-1965-device-consent Authored-by: Dinesh Gupta <[email protected]> Signed-off-by: Dinesh Gupta <[email protected]> Fix test cases for device code consent predicate Cleaned up and improved consistency of test cases related to the device code authorizationConsentRequired predicate. Signed-off-by: Dinesh Gupta <[email protected]>
dineshgupta630
force-pushed
the
gh-1965-device-consent
branch
from
9f0dfc6 to
e16d62e
Compare
dineshgupta630
changed the title
jgrandja
added
type: enhancement
|
Thanks for the PR @dineshgupta630. I will review this soon. |
jgrandja
requested changes
Jul 14, 2025
There was a problem hiding this comment.
Thanks for the PR @dineshgupta630. Please see review comments.
Also, can you please update the commit message to be a shorter summary of the changes. Thanks.
| * </p> | ||
| * @param authorizationConsentRequired the {@code Predicate} used to determine if | ||
| * authorization consent is required for device verification | ||
| * @since 2.0.0 |
| @@ -0,0 +1,185 @@ | |||
| /* | |||
| * Copyright 2025 the original author or authors. | |||
There was a problem hiding this comment.
Update copyright year -> 2020-2025
| * determining if authorization consent is required. | ||
| * | ||
| * @author Dinesh Gupta | ||
| * @since 2.0.0 |
| @SuppressWarnings("unchecked") | ||
| @Nullable | ||
| @Override | ||
| public <T extends Authentication> T getAuthentication() { |
There was a problem hiding this comment.
This can be removed as the default method in OAuth2AuthenticationContext is the same.
| /** | ||
| * A builder for {@link OAuth2DeviceVerificationAuthenticationContext}. | ||
| */ | ||
| public static final class Builder { |
There was a problem hiding this comment.
Builder should extend AbstractBuilder, see OAuth2AuthorizationCodeRequestAuthenticationContext for example
| * Returns the {@link OAuth2Authorization authorization}. | ||
| * @return the {@link OAuth2Authorization}, or {@code null} if not available | ||
| */ | ||
| @Nullable |
There was a problem hiding this comment.
OAuth2Authorization should never be null
| Set<String> requestedScopes = authorization.getAttribute(OAuth2ParameterNames.SCOPE); | ||
| authenticationContextBuilder.requestedScopes(requestedScopes); |
There was a problem hiding this comment.
I don't think we need to provide requestedScopes() since OAuth2Authorization is supplied in the context and it contains request scopes via authorization.getAttribute(OAuth2ParameterNames.SCOPE).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds a pluggable predicate to control whether consent is required in the device code grant flow . Fixes #1965
Notes: No breaking changes; the predicate is opt-in.