From acb3361fa28d609e63bc185553342fa93065ee73 Mon Sep 17 00:00:00 2001
From: Nikos <nikos.sklikas@canonical.com>
Date: Mon, 18 Nov 2024 11:25:36 +0200
Subject: [PATCH] fix: do not create openid session on device auth request

---
 handler/openid/flow_device_auth.go      | 12 +++--------
 handler/openid/flow_device_auth_test.go | 27 -------------------------
 2 files changed, 3 insertions(+), 36 deletions(-)

diff --git a/handler/openid/flow_device_auth.go b/handler/openid/flow_device_auth.go
index efeb2115..5bf8333b 100644
--- a/handler/openid/flow_device_auth.go
+++ b/handler/openid/flow_device_auth.go
@@ -25,6 +25,9 @@ type OpenIDConnectDeviceHandler struct {
 }
 
 func (c *OpenIDConnectDeviceHandler) HandleDeviceEndpointRequest(ctx context.Context, dar fosite.DeviceRequester, resp fosite.DeviceResponder) error {
+	// We don't want to create the openid session on this call, because we don't know if the user
+	// will actually complete the flow and give consent. The implementer MUST call the CreateOpenIDConnectSession
+	// methods when the user logs in to instantiate the session.
 	if !(dar.GetRequestedScopes().Has("openid")) {
 		return nil
 	}
@@ -37,14 +40,5 @@ func (c *OpenIDConnectDeviceHandler) HandleDeviceEndpointRequest(ctx context.Con
 		return errorsx.WithStack(fosite.ErrMisconfiguration.WithDebug("The device code has not been issued yet, indicating a broken code configuration."))
 	}
 
-	signature, err := c.DeviceCodeStrategy.DeviceCodeSignature(ctx, resp.GetDeviceCode())
-	if err != nil {
-		return err
-	}
-
-	if err := c.OpenIDConnectRequestStorage.CreateOpenIDConnectSession(ctx, signature, dar.Sanitize(oidcParameters)); err != nil {
-		return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error()))
-	}
-
 	return nil
 }
diff --git a/handler/openid/flow_device_auth_test.go b/handler/openid/flow_device_auth_test.go
index 34bb3bbf..25ea3815 100644
--- a/handler/openid/flow_device_auth_test.go
+++ b/handler/openid/flow_device_auth_test.go
@@ -10,7 +10,6 @@ import (
 	"time"
 
 	"github.com/ory/fosite/internal"
-	"github.com/pkg/errors"
 	gomock "go.uber.org/mock/gomock"
 
 	"github.com/stretchr/testify/require"
@@ -101,26 +100,6 @@ func TestDeviceAuth_HandleDeviceEndpointRequest(t *testing.T) {
 			authresp:  &fosite.DeviceResponse{},
 			expectErr: fosite.ErrMisconfiguration,
 		},
-		{
-			description: "should fail because cannot create session",
-			authreq: &fosite.DeviceRequest{
-				Request: fosite.Request{
-					RequestedScope: fosite.Arguments{"openid", "email"},
-					Client:         client,
-					Session:        session,
-				},
-			},
-			authresp: &fosite.DeviceResponse{
-				DeviceCode: "device_code",
-			},
-			setup: func(authreq *fosite.DeviceRequest) {
-				store.
-					EXPECT().
-					CreateOpenIDConnectSession(gomock.Any(), gomock.Any(), gomock.Eq(authreq.Sanitize(oidcParameters))).
-					Return(errors.New(""))
-			},
-			expectErr: fosite.ErrServerError,
-		},
 		{
 			description: "should pass",
 			authreq: &fosite.DeviceRequest{
@@ -133,12 +112,6 @@ func TestDeviceAuth_HandleDeviceEndpointRequest(t *testing.T) {
 			authresp: &fosite.DeviceResponse{
 				DeviceCode: "device_code",
 			},
-			setup: func(authreq *fosite.DeviceRequest) {
-				store.
-					EXPECT().
-					CreateOpenIDConnectSession(gomock.Any(), gomock.Any(), gomock.Eq(authreq.Sanitize(oidcParameters))).
-					Return(nil)
-			},
 		},
 	}