Skip to content

[Bug]: using github oauth with step oauth --console-flow=device does not work  #740

New issue
New issue
Closed
#796
Closed
[Bug]: using github oauth with step oauth --console-flow=device does not work #740
#796
Labels
bug
Milestone
v0.23.0
@spacedub

Description

@spacedub
spacedub
opened on Aug 30, 2022

Steps to Reproduce

  1. create an OAuth app off github to be able to test - be sure to allow device flow - and save the client id
  2. step oauth --client-id XXXXX --console-flow device --token-endpoint https://github.com/login/oauth/access_token --scope "user" --device-authorization-endpoint https://github.com/login/device/code (<- replace XXX with client id from above)

Your Environment

  • OS - macOS Montery 12.5.1
  • step CLI Version - master, 746b47642de2fc4317e34d3e987267d4b2430ebe

Expected Behavior

Should work

Actual Behavior

This will first fail at the first request to Github, as step tries to parse the response as JSON:

failure decoding device authz response to JWON: invalid character 'd' looking for beginning of value

Unfortunately Github response by default is of content-type application/x-www-form-urlencoded - unless the client does send an Accept: application/json

https://github.com/smallstep/cli/blob/master/command/oauth/cmd.go#L853

I did workaround this for myself by having a custom http.RoundTripper that adds the Accept: application/json header if req.Host is github.com.

Once this one is fixed, step will properly read the response and starts polling the token endpoint, but will exit abnormally fast - at the first polling attempt, after 5 seconds (which is Github interval response), instead of properly waiting for the user to finish the browser flow.

The reason seems to be:

cli/command/oauth/cmd.go

Line 909 in 746b476

return tok, nil

Typically, while the authorization is pending, Github will return (200):

{"error":"authorization_pending","error_description":"The authorization request is still pending.","error_uri":"https://docs.github.com/developers/apps/authorizing-oauth-apps#error-codes-for-the-device-flow"}

which will marshal into token properly without "error", and return - though there is no actual AccessToken at that point of course.

... I believe this code should only return if tok.AccessToken != "" (or tok.Err == "").

(https://datatracker.ietf.org/doc/html/rfc6749#section-5.1)

Either way, after workaround-ing these two issues, I was able to complete the flow without errors.

Additional Context

Happy to try and send a PR to fix these, but would like an opinion first on the right solution for this (eg: if adding a custom roundtripper to the default http client is the right idea, where should that be best set?).

Contributing

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions