vendor/github.com/Azure/go-autorest/autorest/azure/devicetoken.go


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193

package azure

/*
  This file is largely based on rjw57/oauth2device's code, with the follow differences:
   * scope -> resource, and only allow a single one
   * receive "Message" in the DeviceCode struct and show it to users as the prompt
   * azure-xplat-cli has the following behavior that this emulates:
     - does not send client_secret during the token exchange
     - sends resource again in the token exchange request
*/

import (
    "fmt"
    "net/http"
    "net/url"
    "time"

    "github.com/Azure/go-autorest/autorest"
)

const (
    logPrefix = "autorest/azure/devicetoken:"
)

var (
    // ErrDeviceGeneric represents an unknown error from the token endpoint when using device flow
    ErrDeviceGeneric = fmt.Errorf("%s Error while retrieving OAuth token: Unknown Error", logPrefix)

    // ErrDeviceAccessDenied represents an access denied error from the token endpoint when using device flow
    ErrDeviceAccessDenied = fmt.Errorf("%s Error while retrieving OAuth token: Access Denied", logPrefix)

    // ErrDeviceAuthorizationPending represents the server waiting on the user to complete the device flow
    ErrDeviceAuthorizationPending = fmt.Errorf("%s Error while retrieving OAuth token: Authorization Pending", logPrefix)

    // ErrDeviceCodeExpired represents the server timing out and expiring the code during device flow
    ErrDeviceCodeExpired = fmt.Errorf("%s Error while retrieving OAuth token: Code Expired", logPrefix)

    // ErrDeviceSlowDown represents the service telling us we're polling too often during device flow
    ErrDeviceSlowDown = fmt.Errorf("%s Error while retrieving OAuth token: Slow Down", logPrefix)

    errCodeSendingFails   = "Error occurred while sending request for Device Authorization Code"
    errCodeHandlingFails  = "Error occurred while handling response from the Device Endpoint"
    errTokenSendingFails  = "Error occurred while sending request with device code for a token"
    errTokenHandlingFails = "Error occurred while handling response from the Token Endpoint (during device flow)"
)

// DeviceCode is the object returned by the device auth endpoint
// It contains information to instruct the user to complete the auth flow
type DeviceCode struct {
    DeviceCode      *string `json:"device_code,omitempty"`
    UserCode        *string `json:"user_code,omitempty"`
    VerificationURL *string `json:"verification_url,omitempty"`
    ExpiresIn       *int64  `json:"expires_in,string,omitempty"`
    Interval        *int64  `json:"interval,string,omitempty"`

    Message     *string `json:"message"` // Azure specific
    Resource    string  // store the following, stored when initiating, used when exchanging
    OAuthConfig OAuthConfig
    ClientID    string
}

// TokenError is the object returned by the token exchange endpoint
// when something is amiss
type TokenError struct {
    Error            *string `json:"error,omitempty"`
    ErrorCodes       []int   `json:"error_codes,omitempty"`
    ErrorDescription *string `json:"error_description,omitempty"`
    Timestamp        *string `json:"timestamp,omitempty"`
    TraceID          *string `json:"trace_id,omitempty"`
}

// DeviceToken is the object return by the token exchange endpoint
// It can either look like a Token or an ErrorToken, so put both here
// and check for presence of "Error" to know if we are in error state
type deviceToken struct {
    Token
    TokenError
}

// InitiateDeviceAuth initiates a device auth flow. It returns a DeviceCode
// that can be used with CheckForUserCompletion or WaitForUserCompletion.
func InitiateDeviceAuth(client *autorest.Client, oauthConfig OAuthConfig, clientID, resource string) (*DeviceCode, error) {
    req, _ := autorest.Prepare(
        &http.Request{},
        autorest.AsPost(),
        autorest.AsFormURLEncoded(),
        autorest.WithBaseURL(oauthConfig.DeviceCodeEndpoint.String()),
        autorest.WithFormData(url.Values{
            "client_id": []string{clientID},
            "resource":  []string{resource},
        }),
    )

    resp, err := autorest.SendWithSender(client, req)
    if err != nil {
        return nil, fmt.Errorf("%s %s: %s", logPrefix, errCodeSendingFails, err)
    }

    var code DeviceCode
    err = autorest.Respond(
        resp,
        autorest.WithErrorUnlessStatusCode(http.StatusOK),
        autorest.ByUnmarshallingJSON(&code),
        autorest.ByClosing())
    if err != nil {
        return nil, fmt.Errorf("%s %s: %s", logPrefix, errCodeHandlingFails, err)
    }

    code.ClientID = clientID
    code.Resource = resource
    code.OAuthConfig = oauthConfig

    return &code, nil
}

// CheckForUserCompletion takes a DeviceCode and checks with the Azure AD OAuth endpoint
// to see if the device flow has: been completed, timed out, or otherwise failed
func CheckForUserCompletion(client *autorest.Client, code *DeviceCode) (*Token, error) {
    req, _ := autorest.Prepare(
        &http.Request{},
        autorest.AsPost(),
        autorest.AsFormURLEncoded(),
        autorest.WithBaseURL(code.OAuthConfig.TokenEndpoint.String()),
        autorest.WithFormData(url.Values{
            "client_id":  []string{code.ClientID},
            "code":       []string{*code.DeviceCode},
            "grant_type": []string{OAuthGrantTypeDeviceCode},
            "resource":   []string{code.Resource},
        }),
    )

    resp, err := autorest.SendWithSender(client, req)
    if err != nil {
        return nil, fmt.Errorf("%s %s: %s", logPrefix, errTokenSendingFails, err)
    }

    var token deviceToken
    err = autorest.Respond(
        resp,
        autorest.WithErrorUnlessStatusCode(http.StatusOK, http.StatusBadRequest),
        autorest.ByUnmarshallingJSON(&token),
        autorest.ByClosing())
    if err != nil {
        return nil, fmt.Errorf("%s %s: %s", logPrefix, errTokenHandlingFails, err)
    }

    if token.Error == nil {
        return &token.Token, nil
    }

    switch *token.Error {
    case "authorization_pending":
        return nil, ErrDeviceAuthorizationPending
    case "slow_down":
        return nil, ErrDeviceSlowDown
    case "access_denied":
        return nil, ErrDeviceAccessDenied
    case "code_expired":
        return nil, ErrDeviceCodeExpired
    default:
        return nil, ErrDeviceGeneric
    }
}

// WaitForUserCompletion calls CheckForUserCompletion repeatedly until a token is granted or an error state occurs.
// This prevents the user from looping and checking against 'ErrDeviceAuthorizationPending'.
func WaitForUserCompletion(client *autorest.Client, code *DeviceCode) (*Token, error) {
    intervalDuration := time.Duration(*code.Interval) * time.Second
    waitDuration := intervalDuration

    for {
        token, err := CheckForUserCompletion(client, code)

        if err == nil {
            return token, nil
        }

        switch err {
        case ErrDeviceSlowDown:
            waitDuration += waitDuration
        case ErrDeviceAuthorizationPending:
            // noop
        default: // everything else is "fatal" to us
            return nil, err
        }

        if waitDuration > (intervalDuration * 3) {
            return nil, fmt.Errorf("%s Error waiting for user to complete device flow. Server told us to slow_down too much", logPrefix)
        }

        time.Sleep(waitDuration)
    }
}