OIDCNG: Make the device flow configurable

OpenConext · Oct 14, 2024 · 8699d72 · 8699d72
1 parent 27af4e0
commit 8699d72
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 2 deletions.
diff --git a/roles/oidcng/defaults/main.yml b/roles/oidcng/defaults/main.yml
@@ -9,6 +9,7 @@ oidcng_idp_metadata_url: https://engine.{{ base_domain }}/authentication/idp/met
 oidcng_base_hostname: connect.{{ base_domain }}
 oidcng_logback_email: true
 oidcng_logback_json: true
+oidcng_device_flow: false
 oidcng_idp_sso_location: https://engine.{{ base_domain }}/authentication/idp/single-sign-on
 oidcng_manage_provision_samlsp_client_id: "https://connect.{{ base_domain }}"
 oidcng_manage_provision_samlsp_name_en: "{{ instance_name }} OIDC Gateway"
@@ -18,3 +19,4 @@ oidcng_manage_provision_samlsp_metadata_url: "https://connect.{{ base_domain }}/
 oidcng_manage_provision_samlsp_sp_cert: "{{ lookup('file', '{{ inventory_dir }}/files/certs/oidc/oidcsaml.crt') | depem }}"
 oidcng_manage_provision_samlsp_sign: "True"
 oidcng_manage_provision_samlsp_trusted_proxy: "True"
+
diff --git a/roles/oidcng/templates/application.yml.j2 b/roles/oidcng/templates/application.yml.j2
@@ -50,7 +50,9 @@ certificate_path: file://{{ oidcng_config_dir }}/oidcsaml.crt
 default_acr_value: {{ oidcng.default_acr_value }}
 secure_cookie: true
 oidc_token_endpoint: https://connect.{{ base_domain }}/oidc/token
+{% if oidcng_device_flow | bool %}
 device_verification_url: https://connect.{{ base_domain }}/oidc/verify
+{% endif %}
 environment: {{ oidcng.environment }}
 
 features:

diff --git a/roles/oidcng/templates/openid-configuration.json.j2 b/roles/oidcng/templates/openid-configuration.json.j2
@@ -5,7 +5,9 @@
   "userinfo_endpoint": "https://{{ oidcng_base_hostname }}/oidc/userinfo",
   "introspect_endpoint": "https://{{ oidcng_base_hostname }}/oidc/introspect",
   "jwks_uri": "https://{{ oidcng_base_hostname }}/oidc/certs",
+{% if oidcng_device_flow | bool %}
   "device_authorization_endpoint": "https://{{ oidcng_base_hostname }}/oidc/device_authorization",
+{% endif %}
   "response_types_supported": [
     "code",
     "token",
@@ -24,8 +26,10 @@
     "authorization_code",
     "implicit",
     "refresh_token",
-    "client_credentials",
-    "urn:ietf:params:oauth:grant-type:device_code"
+{% if oidcng_device_flow | bool %}
+    "urn:ietf:params:oauth:grant-type:device_code",
+{% endif %}
+    "client_credentials"
   ],
   "subject_types_supported": [
     "public",