Skip to content
This repository has been archived by the owner on Nov 18, 2024. It is now read-only.

Implement device code grant type #37

Merged
merged 9 commits into from
Mar 24, 2021
Merged

Implement device code grant type #37

merged 9 commits into from
Mar 24, 2021

Conversation

impl
Copy link
Member

@impl impl commented Mar 10, 2021

Fixes #36

@DrDaveD
Copy link
Contributor

DrDaveD commented Mar 11, 2021

@impl I have a question on this, and for that matter any kind of flow that requests a refresh token through this plugin. Since this is only a secrets plugin, after going through any oauth flow to get a refresh token do you also get a vault token? Or is a vault token with access to a secrets path already required to be obtained some other way?

The way I have been doing things is using the Hashicorp jwt/oidc auth plugin to get a vault token and refresh token together, and then storing the refresh token in this secrets plugin.

@impl
Copy link
Member Author

impl commented Mar 11, 2021

The way we use it, we already have access to this engine set up in advance using policies on an existing role. I actually don't think it's possible for a secrets engine to return a Vault token -- it doesn't have access to those Vault APIs. We mainly use this plugin to manage credentials on behalf of our users, so our public-facing interfaces never store a refresh token or even OAuth client secret. I.e., we can grab a token in our application, use it in the scope of a single request to perform some work on a user's behalf, and discard it.

@impl impl marked this pull request as ready for review March 16, 2021 20:51
@impl impl requested a review from a team as a code owner March 16, 2021 20:51
@impl impl force-pushed the features/device-grant branch from 4ffe2eb to edf2848 Compare March 16, 2021 23:56
Copy link

@kyleterry kyleterry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! One we get the tests pushed up I'll sign-off and we can get this merged.

@impl impl merged commit c21baac into master Mar 24, 2021
@impl impl deleted the features/device-grant branch March 24, 2021 17:59
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support RFC 8628 Device Authorization Grant
4 participants