fix: do not create openid session on device auth request

ory · Nov 18, 2024 · c778674 · c778674
1 parent 9753bcd
commit c778674
Showing 1 changed file with 3 additions and 9 deletions.
diff --git a/handler/openid/flow_device_auth.go b/handler/openid/flow_device_auth.go
@@ -25,6 +25,9 @@ type OpenIDConnectDeviceHandler struct {
 }
 
 func (c *OpenIDConnectDeviceHandler) HandleDeviceEndpointRequest(ctx context.Context, dar fosite.DeviceRequester, resp fosite.DeviceResponder) error {
+	// We don't want to create the openid session on this call, because we don't know if the user
+	// will actually complete the flow and give consent. The implementer MUST call the CreateOpenIDConnectSession
+	// methods when the user logs in to instantiate the session.
 	if !(dar.GetRequestedScopes().Has("openid")) {
 		return nil
 	}
@@ -37,14 +40,5 @@ func (c *OpenIDConnectDeviceHandler) HandleDeviceEndpointRequest(ctx context.Con
 		return errorsx.WithStack(fosite.ErrMisconfiguration.WithDebug("The device code has not been issued yet, indicating a broken code configuration."))
 	}
 
-	signature, err := c.DeviceCodeStrategy.DeviceCodeSignature(ctx, resp.GetDeviceCode())
-	if err != nil {
-		return err
-	}
-
-	if err := c.OpenIDConnectRequestStorage.CreateOpenIDConnectSession(ctx, signature, dar.Sanitize(oidcParameters)); err != nil {
-		return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error()))
-	}
-
 	return nil
 }