Skip to content

feat(config): disable device_code grant by default #2068

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(config): disable device_code grant by default #2068

wants to merge 1 commit into from

Conversation

renechoi
Copy link

@renechoi renechoi commented Jun 29, 2025
edited
Loading

Overview

This PR introduces an opt-in switch for the OAuth 2.0 Device Authorization Grant (aka device_code) in Spring Authorization Server.
By default the grant is disabled, bringing the framework in line with the “secure-by-default” principle discussed in [#1709](#1709).

Motivation

  • The Device Authorization Grant is purpose-built for devices that have limited input capabilities.
    Most new deployments of the Authorization Server target browser-based or mobile clients and do not require this flow.
  • Exposing unused endpoints (/oauth2/device_authorization, /oauth2/device_verification) increases the attack surface and the number of code paths that must be audited.
  • Disabling the grant unless explicitly requested mirrors the framework’s stance on other advanced or niche features (e.g. PAR being optional).

What changed

Area Change
AuthorizationServerSettings New flag deviceGrantEnabled (default false).
Builder API: deviceGrantEnabled(boolean) – fluent opt-in.
Endpoint configurers OAuth2DeviceAuthorizationEndpointConfigurer and OAuth2DeviceVerificationEndpointConfigurer now short-circuit their init() / configure() methods when the flag is false. No filters or providers are registered.
Global configurer OAuth2AuthorizationServerConfigurer skips Device Grant matchers unless the flag is enabled; avoids null request-matcher issues.
Settings names Added device-grant-enabled to ConfigurationSettingNames.AuthorizationServer.
Tests Updated existing Device Grant integration tests to enable the flag explicitly. Added a new test asserting that the endpoints return 404 when the flag is left at its default value.
Docs / headers All new code carries the Apache 2.0 header. Javadoc updated where relevant.

Opting back in

@Bean
AuthorizationServerSettings authorizationServerSettings() {
    return AuthorizationServerSettings.builder()
            .deviceGrantEnabled(true)   // <-- enable Device Grant
            // other custom settings …
            .build();
}

Once enabled, behaviour is identical to previous versions; no further changes are required in client or resource owner flows.

Backward compatibility

  • Breaking change?
    No—deployments that actively use the Device Grant just need to flip one property. All other grants continue to function unchanged.
  • Binary compatibility: Existing API signatures are untouched; only one boolean accessor/mutator is added.
  • Semantic compatibility: If deviceGrantEnabled(true) is configured the runtime behaviour is byte-for-byte equivalent to current main.

Test coverage

  • Happy path tests: All existing OAuth2DeviceCodeGrantTests now run with the flag enabled.
  • Negative path test: New test requestWhenDeviceAuthorizationEndpointDisabledThenNotFound verifies that the endpoint is not exposed by default.
  • CI: All modules compile and the full test suite passes (./gradlew check).

Upgrade notes

  1. If your application relies on the Device Authorization Grant, add
    deviceGrantEnabled(true) to your AuthorizationServerSettings bean (see snippet above).
  2. No migration is required for applications that do not use the grant; they are now more secure by default.

Related links

Checklist

  • Code compiles (./gradlew clean build)
  • All tests pass
  • New functionality documented via Javadoc
  • Commit signed (Signed-off-by) and follows Conventional Commit format

*Signed-off-by: renechoi [[[email protected]]

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jun 29, 2025
@renechoi
feat(config): disable device_code grant by default
50f0d04 
Before: Device Authorization Grant endpoints were always enabled, exposing
an attack surface that most deployments do not need.

After: The grant is now opt-in. A new deviceGrantEnabled flag on
AuthorizationServerSettings defaults to false; filters and providers are
registered only when it is explicitly true.

This change strengthens the framework’s secure-by-default posture and
aligns with the discussion in spring-projectsgh-1709.

Closes spring-projectsgh-1709

Signed-off-by: renechoi [email protected]
Signed-off-by: renechoi <[email protected]>
@renechoi renechoi force-pushed the gh-1709-disable-device-grant-default branch from c5c1172 to 50f0d04 Compare June 29, 2025 03:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Consider disabling device_code grant by default
2 participants
@renechoi @spring-projects-issues