Add OAuth 2.0 Device Authorization Grant

[sjohnr]

Add initial support for OAuth 2.0 Device Authorization Grant.

This PR includes very few test updates and does not include updates to the JdbcOAuth2AuthorizationService. I've also added a separate sample, device-grant-authorizationserver. I can eventually combine this with the default sample before merging.

New endpoints

• Device Authorization Endpoint
• Device Verification Endpoint

Note: The second endpoint is not in the spec, but handles the user interaction section of the spec.

New AuthenticationProviders

(and corresponding AuthenticationConverters)

OAuth2DeviceAuthorizationRequestAuthenticationProvider - Handles the Device Authorization Request

• Returns OAuth2DeviceAuthorizationRequestAuthenticationToken

OAuth2DeviceVerificationAuthenticationProvider - Handles determining if Consent is required, and either returning consent required or directly authorizing the original Device Authorization Request

• Returns either OAuth2DeviceAuthorizationConsentAuthenticationToken or OAuth2DeviceVerificationAuthenticationToken

Note: This is very similar to OAuth2AuthorizationCodeRequestAuthenticationProvider.

OAuth2DeviceAuthorizationConsentAuthenticationProvider - Handles saving authorization consent and authorizing the original Device Authorization Request

• Returns OAuth2DeviceVerificationAuthenticationToken

OAuth2DeviceCodeAuthenticationProvider - Handles the Access Token Request for the device_code grant type

• Returns OAuth2AccessTokenAuthenticationToken

Testing

Using HTTPie, make the following requests:

Device Authorization Request

http POST :9000/oauth2/device_authorization scope=='message.read message.write' -a messaging-client:secret

Returns

{
    "device_code": "Efw...",
    "expires_in": 600,
    "interval": 5,
    "user_code": "RNDPGEFY",
    "verification_uri": "http://localhost:9000/activate",
    "verification_uri_complete": "http://localhost:9000/activate?user_code=RNDPGEFY"
}

Note: Returns /activate as the verification_uri because the sample has customized the deviceVerificationUri via

authorizationServerConfigurer
	.deviceAuthorizationEndpoint((deviceAuthorizationEndpoint) -> deviceAuthorizationEndpoint
		.verificationUri("/activate")
	);

Poll the Token Endpoint

Perform an initial token request:

export DEVICE_TOKEN="Efw..."
http POST :9000/oauth2/token grant_type=='urn:ietf:params:oauth:grant-type:device_code' device_code==$DEVICE_CODE -a messaging-client:secret

Returns

{
    "error": "authorization_pending",
    "error_uri": "https://datatracker.ietf.org/doc/html/rfc8628#section-3.5"
}

Authorize the client (user interaction)

Open the verification_uri_complete URL in a browser, or alternatively copy the user_code and open the verification_uri and log in to submit consent and authorize the client.

Note the additional banner per recommendation in the spec:

The server SHOULD display
the "user_code" to the user and ask them to verify that it matches
the "user_code" being displayed on the device to confirm they are
authorizing the correct device.

Token Request

Perform another token request:

http POST :9000/oauth2/token grant_type=='urn:ietf:params:oauth:grant-type:device_code' device_code==$DEVICE_CODE -a messaging-client:secret

Returns

{
    "access_token": "eyJ...",
    "expires_in": 299,
    "refresh_token": "wyK...",
    "scope": "message.read message.write",
    "token_type": "Bearer"
}

[jgrandja]

This is looking great @sjohnr ! Please see review comments.