Made full URLs for device flow switchable server-wide instead of per-client

Author: jricher

openid-connect-common/src/main/java/org/mitre/openid/connect/config/ConfigurationPropertiesBean.java

@@ -68,6 +68,8 @@ public class ConfigurationPropertiesBean {
 private boolean dualClient = false;
 
 private boolean heartMode = false;
+
+private boolean allowCompleteDeviceCodeUri = false;
 
 public ConfigurationPropertiesBean() {
 
@@ -257,4 +259,18 @@ public boolean isHeartMode() {
 public void setHeartMode(boolean heartMode) {
 this.heartMode = heartMode;
 }
+
+/**
+ * @return the allowCompleteDeviceCodeUri
+ */
+public boolean isAllowCompleteDeviceCodeUri() {
+return allowCompleteDeviceCodeUri;
+}
+
+/**
+ * @param allowCompleteDeviceCodeUri the allowCompleteDeviceCodeUri to set
+ */
+public void setAllowCompleteDeviceCodeUri(boolean allowCompleteDeviceCodeUri) {
+this.allowCompleteDeviceCodeUri = allowCompleteDeviceCodeUri;
+}
 }

openid-connect-server-webapp/src/main/webapp/WEB-INF/server-config.xml

@@ -68,6 +68,10 @@
 <!-- This property turns on HEART compliance mode -->
 <!-- <property name="heartMode" value="true" /> -->
 
+ <!-- This property allows the server to create and accept fully-composed 
+ user URIs (with the user-code emebedded) for the device flow -->
+ <!-- <property name="allowCompleteDeviceCodeUri" value="true" /> -->
+
 </bean>
 
 </beans>

openid-connect-server/src/main/java/org/mitre/oauth2/web/DeviceEndpoint.java

@@ -138,18 +138,21 @@ public String requestDeviceCode(@RequestParam("client_id") String clientId, @Req
 try {
 DeviceCode dc = deviceCodeService.createNewDeviceCode(requestedScopes, client, parameters);
 
-URI verificationUriComplete = new URIBuilder(config.getIssuer() + USER_URL)
-.addParameter("user_code", dc.getUserCode())
-.build();
-
 Map<String, Object> response = new HashMap<>();
 response.put("device_code", dc.getDeviceCode());
 response.put("user_code", dc.getUserCode());
 response.put("verification_uri", config.getIssuer() + USER_URL);
-response.put("verification_uri_complete", verificationUriComplete);
 if (client.getDeviceCodeValiditySeconds() != null) {
 response.put("expires_in", client.getDeviceCodeValiditySeconds());
 }
+
+if (config.isAllowCompleteDeviceCodeUri()) {
+URI verificationUriComplete = new URIBuilder(config.getIssuer() + USER_URL)
+.addParameter("user_code", dc.getUserCode())
+.build();
+
+response.put("verification_uri_complete", verificationUriComplete.toString());
+}
 
 model.put(JsonEntityView.ENTITY, response);
 
@@ -175,8 +178,8 @@ public String requestDeviceCode(@RequestParam("client_id") String clientId, @Req
 @RequestMapping(value = "/" + USER_URL, method = RequestMethod.GET)
 public String requestUserCode(@RequestParam(value = "user_code", required = false) String userCode, ModelMap model, HttpSession session) {
 
-if (userCode == null) {
-
+if (!config.isAllowCompleteDeviceCodeUri() || userCode == null) {
+// if we don't allow the complete URI or we didn't get a user code on the way in,
 // print out a page that asks the user to enter their user code
 // user must be logged in
 return "requestUserCode";