k7iSSKrSSKJr SSKJr SSKJr SSKJr SSKJr SSKJ r S S K J r S S K J r S S K J r \R"\5rS r"SS\\5rg)N) BaseGrant)TokenEndpointMixin)AccessDeniedError)InvalidRequestError)UnauthorizedClientError)hooked)AuthorizationPendingError)ExpiredTokenError) SlowDownErrorz,urn:ietf:params:oauth:grant-type:device_codecR\rSrSrSr\r/SQrSr\ S5r Sr Sr Sr S rS rg ) DeviceCodeGranta This OAuth 2.0 [RFC6749] protocol extension enables OAuth clients to request user authorization from applications on devices that have limited input capabilities or lack a suitable browser. Such devices include smart TVs, media consoles, picture frames, and printers, which lack an easy input method or a suitable browser required for traditional OAuth interactions. Here is the authorization flow:: +----------+ +----------------+ | |>---(A)-- Client Identifier --->| | | | | | | |<---(B)-- Device Code, ---<| | | | User Code, | | | Device | & Verification URI | | | Client | | | | | [polling] | | | |>---(E)-- Device Code --->| | | | & Client Identifier | | | | | Authorization | | |<---(F)-- Access Token ---<| Server | +----------+ (& Optional Refresh Token) | | v | | : | | (C) User Code & Verification URI | | : | | v | | +----------+ | | | End User | | | | at |<---(D)-- End user reviews --->| | | Browser | authorization request | | +----------+ +----------------+ This DeviceCodeGrant is the implementation of step (E) and (F). (E) While the end user reviews the client's request (step D), the client repeatedly polls the authorization server to find out if the user completed the user authorization step. The client includes the device code and its client identifier. (F) The authorization server validates the device code provided by the client and responds with the access token if the client is granted access, an error if they are denied access, or an indication that the client should continue to poll. )client_secret_basicclient_secret_postnonec8URRRRS5nU(d [ S5eUR 5nUR UR5(d[SURS35eURU5nU(d [ S5eUR5UR5:wa [5eURU5nX@Rl X Rl X0Rlg)aAfter displaying instructions to the user, the client creates an access token request and sends it to the token endpoint with the following parameters: grant_type REQUIRED. Value MUST be set to "urn:ietf:params:oauth:grant-type:device_code". device_code REQUIRED. The device verification code, "device_code" from the device authorization response. client_id REQUIRED if the client is not authenticating with the authorization server as described in Section 3.2.1. of [RFC6749]. The client identifier as described in Section 2.2 of [RFC6749]. For example, the client makes the following HTTPS request:: POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Adevice_code &device_code=GmRhmhcxhwAzkoEqiMEg_DnyEysNkuNhszIySk9eS &client_id=1406020730 device_codez Missing 'device_code' in payloadz3The client is not authorized to use 'response_type='z Invalid 'device_code' in payloadN)requestpayloaddatagetr"authenticate_token_endpoint_clientcheck_grant_type GRANT_TYPErquery_device_credential get_client_idvalidate_device_credentialuserclient credential)selfrr"r#r!s \/home/james-whalen/.local/lib/python3.13/site-packages/authlib/oauth2/rfc8628/device_code.pyvalidate_token_request&DeviceCodeGrant.validate_token_requestAs8ll**//33MB %&HI I88:&&t77)EdooEVVWX 11+> %&HI I  # # %)=)=)? ?)+ +..z: $ ", cHURRnURRR5nUR URR UUR S5S9n[RSX15 URU5 SX0R4$)zIf the access token request is valid and authorized, the authorization server issues an access token and optional refresh token. refresh_token)r!scopeinclude_refresh_tokenzIssue token %r to %r) rr"r# get_scopegenerate_tokenr!rlogdebug save_tokenTOKEN_RESPONSE_HEADER)r$r"r+tokens r%create_token_response%DeviceCodeGrant.create_token_responsess $$ ''113##"""("9"9/"J$  (%8 E5555r(c UR5(a [5eUR5nURU5nUbUupEU(d [ 5eU$UR U5(a [ 5e[5e)N) is_expiredr get_user_codequery_user_grantrshould_slow_downr r )r$r# user_code user_grantr!approveds r%r *DeviceCodeGrant.validate_device_credentialsx  " "#% %,,. **95  !'ND'))K   , ,/ !'))r(c[5e)a9Get device credential from previously savings via ``DeviceAuthorizationEndpoint``. Developers MUST implement it in subclass:: def query_device_credential(self, device_code): return DeviceCredential.get(device_code) :param device_code: a string represent the code. :return: DeviceCredential instance NotImplementedError)r$rs r%r'DeviceCodeGrant.query_device_credentials "##r(c[5e)aGet user and grant via the given user code. Developers MUST implement it in subclass:: def query_user_grant(self, user_code): # e.g. we saved user grant info in redis data = redis.get("oauth_user_grant:" + user_code) if not data: return None user_id, allowed = data.split() user = User.get(user_id) return user, bool(allowed) Note, user grant information is saved by verification endpoint. rA)r$r<s r%r: DeviceCodeGrant.query_user_grants "##r(c[5e)zThe authorization request is still pending and polling should continue, but the interval MUST be increased by 5 seconds for this and all subsequent requests. rA)r$r#s r%r; DeviceCodeGrant.should_slow_downs "##r(N)__name__ __module__ __qualname____firstlineno____doc__DEVICE_CODE_GRANT_TYPErTOKEN_ENDPOINT_AUTH_METHODSr&r r5r rr:r;__static_attributes__rHr(r%rrsC*X(J"W0-d 6 6 *$ $$$$r(r)loggingrfc6749rrrfc6749.errorsrrr rfc6749.hooksr errorsr r r getLoggerrIr0rNrrHr(r%rWsJ(.04"-%! !Gh$i!3h$r(