fix: do not create openid session on device auth request

Author: nsklikas

handler/openid/flow_device_auth.go

@@ -25,6 +25,9 @@ type OpenIDConnectDeviceHandler struct {
 }
 
 func (c *OpenIDConnectDeviceHandler) HandleDeviceEndpointRequest(ctx context.Context, dar fosite.DeviceRequester, resp fosite.DeviceResponder) error {
+	// We don't want to create the openid session on this call, because we don't know if the user
+	// will actually complete the flow and give consent. The implementer MUST call the CreateOpenIDConnectSession
+	// methods when the user logs in to instantiate the session.
 	if !(dar.GetRequestedScopes().Has("openid")) {
 		return nil
 	}
@@ -37,14 +40,5 @@ func (c *OpenIDConnectDeviceHandler) HandleDeviceEndpointRequest(ctx context.Con
 		return errorsx.WithStack(fosite.ErrMisconfiguration.WithDebug("The device code has not been issued yet, indicating a broken code configuration."))
 	}
 
-	signature, err := c.DeviceCodeStrategy.DeviceCodeSignature(ctx, resp.GetDeviceCode())
-	if err != nil {
-		return err
-	}
-
-	if err := c.OpenIDConnectRequestStorage.CreateOpenIDConnectSession(ctx, signature, dar.Sanitize(oidcParameters)); err != nil {
-		return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error()))
-	}
-
 	return nil
 }

handler/openid/flow_device_auth_test.go

@@ -10,7 +10,6 @@ import (
 	"time"
 
 	"github.com/ory/fosite/internal"
-	"github.com/pkg/errors"
 	gomock "go.uber.org/mock/gomock"
 
 	"github.com/stretchr/testify/require"
@@ -101,26 +100,6 @@ func TestDeviceAuth_HandleDeviceEndpointRequest(t *testing.T) {
 			authresp:  &fosite.DeviceResponse{},
 			expectErr: fosite.ErrMisconfiguration,
 		},
-		{
-			description: "should fail because cannot create session",
-			authreq: &fosite.DeviceRequest{
-				Request: fosite.Request{
-					RequestedScope: fosite.Arguments{"openid", "email"},
-					Client:         client,
-					Session:        session,
-				},
-			},
-			authresp: &fosite.DeviceResponse{
-				DeviceCode: "device_code",
-			},
-			setup: func(authreq *fosite.DeviceRequest) {
-				store.
-					EXPECT().
-					CreateOpenIDConnectSession(gomock.Any(), gomock.Any(), gomock.Eq(authreq.Sanitize(oidcParameters))).
-					Return(errors.New(""))
-			},
-			expectErr: fosite.ErrServerError,
-		},
 		{
 			description: "should pass",
 			authreq: &fosite.DeviceRequest{
@@ -133,12 +112,6 @@ func TestDeviceAuth_HandleDeviceEndpointRequest(t *testing.T) {
 			authresp: &fosite.DeviceResponse{
 				DeviceCode: "device_code",
 			},
-			setup: func(authreq *fosite.DeviceRequest) {
-				store.
-					EXPECT().
-					CreateOpenIDConnectSession(gomock.Any(), gomock.Any(), gomock.Eq(authreq.Sanitize(oidcParameters))).
-					Return(nil)
-			},
 		},
 	}