fix: do not create openid session on device auth request

handler/openid/flow_device_auth.go

@@ -9,7 +9,6 @@ import (
 	"github.com/ory/fosite/handler/rfc8628"
 
 	"github.com/ory/fosite"
-	"github.com/ory/x/errorsx"
 )
 
 // OpenIDConnectDeviceHandler a response handler for the Device Authorization Grant with OpenID Connect identity layer
@@ -25,26 +24,8 @@ type OpenIDConnectDeviceHandler struct {
 }
 
 func (c *OpenIDConnectDeviceHandler) HandleDeviceEndpointRequest(ctx context.Context, dar fosite.DeviceRequester, resp fosite.DeviceResponder) error {
-	if !(dar.GetRequestedScopes().Has("openid")) {
-		return nil
-	}
-
-	if !dar.GetClient().GetGrantTypes().Has(string(fosite.GrantTypeDeviceCode)) {
-		return nil
-	}
-
-	if resp.GetDeviceCode() == "" {
-		return errorsx.WithStack(fosite.ErrMisconfiguration.WithDebug("The device code has not been issued yet, indicating a broken code configuration."))
-	}
-
-	signature, err := c.DeviceCodeStrategy.DeviceCodeSignature(ctx, resp.GetDeviceCode())
-	if err != nil {
-		return err
-	}
-
-	if err := c.OpenIDConnectRequestStorage.CreateOpenIDConnectSession(ctx, signature, dar.Sanitize(oidcParameters)); err != nil {
-		return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error()))
-	}
-
+	// We don't want to create the openid session on this call, because we don't know if the user
+	// will actually complete the flow and give consent. The implementer MUST call the CreateOpenIDConnectSession
+	// methods when the user logs in to instantiate the session.
 	return nil
 }

handler/openid/flow_device_auth_test.go

@@ -10,7 +10,6 @@ import (
 	"time"
 
 	"github.com/ory/fosite/internal"
-	"github.com/pkg/errors"
 	gomock "go.uber.org/mock/gomock"
 
 	"github.com/stretchr/testify/require"
@@ -90,37 +89,6 @@ func TestDeviceAuth_HandleDeviceEndpointRequest(t *testing.T) {
 				},
 			},
 		},
-		{
-			description: "should fail because device code is not issued",
-			authreq: &fosite.DeviceRequest{
-				Request: fosite.Request{
-					RequestedScope: fosite.Arguments{"openid", "email"},
-					Client:         client,
-				},
-			},
-			authresp:  &fosite.DeviceResponse{},
-			expectErr: fosite.ErrMisconfiguration,
-		},
-		{
-			description: "should fail because cannot create session",
-			authreq: &fosite.DeviceRequest{
-				Request: fosite.Request{
-					RequestedScope: fosite.Arguments{"openid", "email"},
-					Client:         client,
-					Session:        session,
-				},
-			},
-			authresp: &fosite.DeviceResponse{
-				DeviceCode: "device_code",
-			},
-			setup: func(authreq *fosite.DeviceRequest) {
-				store.
-					EXPECT().
-					CreateOpenIDConnectSession(gomock.Any(), gomock.Any(), gomock.Eq(authreq.Sanitize(oidcParameters))).
-					Return(errors.New(""))
-			},
-			expectErr: fosite.ErrServerError,
-		},
 		{
 			description: "should pass",
 			authreq: &fosite.DeviceRequest{
@@ -133,12 +101,6 @@ func TestDeviceAuth_HandleDeviceEndpointRequest(t *testing.T) {
 			authresp: &fosite.DeviceResponse{
 				DeviceCode: "device_code",
 			},
-			setup: func(authreq *fosite.DeviceRequest) {
-				store.
-					EXPECT().
-					CreateOpenIDConnectSession(gomock.Any(), gomock.Any(), gomock.Eq(authreq.Sanitize(oidcParameters))).
-					Return(nil)
-			},
 		},
 	}