Add device_code_client_id and device_code_client_secret to OAuth Resource Metadata and bump version to 0.1.22

rustyconover · claude · rustyconover · commit de1daa4d6db5 · 2026-03-06T09:50:12.000-05:00
Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "vgi-rpc"
-version = "0.1.21"
+version = "0.1.22"
 description = "Vector Gateway Interface - RPC framework based on Apache Arrow"
 readme = "README.md"
 requires-python = ">=3.13"
diff --git a/tests/test_oauth.py b/tests/test_oauth.py
@@ -27,6 +27,8 @@
     make_sync_client,
     parse_client_id,
     parse_client_secret,
+    parse_device_code_client_id,
+    parse_device_code_client_secret,
     parse_resource_metadata_url,
     parse_use_id_token_as_bearer,
 )
@@ -129,6 +131,10 @@ def authenticate(req: falcon.Request) -> AuthContext:
     _METADATA, client_id="my-client-id", client_secret="my-client-secret"
 )
 _METADATA_WITH_ID_TOKEN = dataclasses.replace(_METADATA, use_id_token_as_bearer=True)
+_METADATA_WITH_DEVICE_CODE_CLIENT_ID = dataclasses.replace(_METADATA, device_code_client_id="device-client-id")
+_METADATA_WITH_DEVICE_CODE_CLIENT_SECRET = dataclasses.replace(
+    _METADATA, device_code_client_id="device-client-id", device_code_client_secret="device-client-secret"
+)
 
 
 # ---------------------------------------------------------------------------
@@ -195,6 +201,8 @@ def test_well_known_omits_default_fields(self) -> None:
         assert "resource_name" not in d
         assert "client_id" not in d
         assert "client_secret" not in d
+        assert "device_code_client_id" not in d
+        assert "device_code_client_secret" not in d
 
     def test_well_known_exempt_from_auth(self) -> None:
         """Well-known endpoint is accessible even with auth enabled."""
@@ -544,6 +552,184 @@ def test_client_discovery_round_trip_with_use_id_token_as_bearer(self) -> None:
         assert meta is not None
         assert meta.use_id_token_as_bearer is True
 
+    def test_device_code_client_id_rejects_unsafe_characters(self) -> None:
+        """device_code_client_id with non-URL-safe characters raises ValueError."""
+        with pytest.raises(ValueError, match="URL-safe"):
+            OAuthResourceMetadata(
+                resource="https://example.com/vgi",
+                authorization_servers=("https://auth.example.com",),
+                device_code_client_id='bad"id',
+            )
+        with pytest.raises(ValueError, match="URL-safe"):
+            OAuthResourceMetadata(
+                resource="https://example.com/vgi",
+                authorization_servers=("https://auth.example.com",),
+                device_code_client_id="has space",
+            )
+
+    def test_device_code_client_id_in_well_known_json(self) -> None:
+        """device_code_client_id appears in well-known JSON when set."""
+        server = RpcServer(_EchoService, _EchoImpl())
+        client = make_sync_client(
+            server, signing_key=b"k", oauth_resource_metadata=_METADATA_WITH_DEVICE_CODE_CLIENT_ID
+        )
+        resp = client.get("/.well-known/oauth-protected-resource")
+        body = json.loads(resp.content)
+        assert body["device_code_client_id"] == "device-client-id"
+
+    def test_device_code_client_id_in_www_authenticate(self) -> None:
+        """device_code_client_id appears in WWW-Authenticate header when set."""
+        _priv, pub = _make_rsa_key()
+        auth_fn = _make_local_auth(pub)
+        server = RpcServer(_EchoService, _EchoImpl())
+        client = make_sync_client(
+            server,
+            signing_key=b"k",
+            authenticate=auth_fn,
+            oauth_resource_metadata=_METADATA_WITH_DEVICE_CODE_CLIENT_ID,
+        )
+        resp = client.post(
+            "/vgi/echo",
+            content=b"garbage",
+            headers={"Content-Type": "application/octet-stream"},
+        )
+        assert resp.status_code == 401
+        www_auth = resp.headers.get("www-authenticate", "")
+        assert 'device_code_client_id="device-client-id"' in www_auth
+
+    def test_device_code_client_id_absent_from_www_authenticate(self) -> None:
+        """device_code_client_id absent from WWW-Authenticate when not set."""
+        _priv, pub = _make_rsa_key()
+        auth_fn = _make_local_auth(pub)
+        server = RpcServer(_EchoService, _EchoImpl())
+        client = make_sync_client(
+            server,
+            signing_key=b"k",
+            authenticate=auth_fn,
+            oauth_resource_metadata=_METADATA,
+        )
+        resp = client.post(
+            "/vgi/echo",
+            content=b"garbage",
+            headers={"Content-Type": "application/octet-stream"},
+        )
+        assert resp.status_code == 401
+        www_auth = resp.headers.get("www-authenticate", "")
+        assert "device_code_client_id" not in www_auth
+
+    def test_parse_device_code_client_id_extracts_value(self) -> None:
+        """parse_device_code_client_id() extracts value from header."""
+        header = (
+            'Bearer resource_metadata="https://example.com/.well-known/oauth-protected-resource/vgi"'
+            ', device_code_client_id="my-device-app"'
+        )
+        assert parse_device_code_client_id(header) == "my-device-app"
+
+    def test_parse_device_code_client_id_returns_none_when_absent(self) -> None:
+        """parse_device_code_client_id() returns None when not present."""
+        assert parse_device_code_client_id("Bearer") is None
+        assert parse_device_code_client_id('Bearer resource_metadata="https://example.com"') is None
+        assert parse_device_code_client_id("") is None
+
+    def test_client_discovery_round_trip_with_device_code_client_id(self) -> None:
+        """Client discovers device_code_client_id set on server."""
+        server = RpcServer(_EchoService, _EchoImpl())
+        client = make_sync_client(
+            server, signing_key=b"k", oauth_resource_metadata=_METADATA_WITH_DEVICE_CODE_CLIENT_ID
+        )
+        meta = http_oauth_metadata(client=client)
+        assert meta is not None
+        assert meta.device_code_client_id == "device-client-id"
+
+    def test_device_code_client_secret_rejects_unsafe_characters(self) -> None:
+        """device_code_client_secret with non-URL-safe characters raises ValueError."""
+        with pytest.raises(ValueError, match="URL-safe"):
+            OAuthResourceMetadata(
+                resource="https://example.com/vgi",
+                authorization_servers=("https://auth.example.com",),
+                device_code_client_secret='bad"secret',
+            )
+        with pytest.raises(ValueError, match="URL-safe"):
+            OAuthResourceMetadata(
+                resource="https://example.com/vgi",
+                authorization_servers=("https://auth.example.com",),
+                device_code_client_secret="has space",
+            )
+
+    def test_device_code_client_secret_in_well_known_json(self) -> None:
+        """device_code_client_secret appears in well-known JSON when set."""
+        server = RpcServer(_EchoService, _EchoImpl())
+        client = make_sync_client(
+            server, signing_key=b"k", oauth_resource_metadata=_METADATA_WITH_DEVICE_CODE_CLIENT_SECRET
+        )
+        resp = client.get("/.well-known/oauth-protected-resource")
+        body = json.loads(resp.content)
+        assert body["device_code_client_secret"] == "device-client-secret"
+
+    def test_device_code_client_secret_in_www_authenticate(self) -> None:
+        """device_code_client_secret appears in WWW-Authenticate header when set."""
+        _priv, pub = _make_rsa_key()
+        auth_fn = _make_local_auth(pub)
+        server = RpcServer(_EchoService, _EchoImpl())
+        client = make_sync_client(
+            server,
+            signing_key=b"k",
+            authenticate=auth_fn,
+            oauth_resource_metadata=_METADATA_WITH_DEVICE_CODE_CLIENT_SECRET,
+        )
+        resp = client.post(
+            "/vgi/echo",
+            content=b"garbage",
+            headers={"Content-Type": "application/octet-stream"},
+        )
+        assert resp.status_code == 401
+        www_auth = resp.headers.get("www-authenticate", "")
+        assert 'device_code_client_secret="device-client-secret"' in www_auth
+
+    def test_device_code_client_secret_absent_from_www_authenticate(self) -> None:
+        """device_code_client_secret absent from WWW-Authenticate when not set."""
+        _priv, pub = _make_rsa_key()
+        auth_fn = _make_local_auth(pub)
+        server = RpcServer(_EchoService, _EchoImpl())
+        client = make_sync_client(
+            server,
+            signing_key=b"k",
+            authenticate=auth_fn,
+            oauth_resource_metadata=_METADATA,
+        )
+        resp = client.post(
+            "/vgi/echo",
+            content=b"garbage",
+            headers={"Content-Type": "application/octet-stream"},
+        )
+        assert resp.status_code == 401
+        www_auth = resp.headers.get("www-authenticate", "")
+        assert "device_code_client_secret" not in www_auth
+
+    def test_parse_device_code_client_secret_extracts_value(self) -> None:
+        """parse_device_code_client_secret() extracts value from header."""
+        header = (
+            'Bearer resource_metadata="https://example.com/.well-known/oauth-protected-resource/vgi"'
+            ', device_code_client_id="my-device-app", device_code_client_secret="my-device-secret"'
+        )
+        assert parse_device_code_client_secret(header) == "my-device-secret"
+
+    def test_parse_device_code_client_secret_returns_none_when_absent(self) -> None:
+        """parse_device_code_client_secret() returns None when not present."""
+        assert parse_device_code_client_secret("Bearer") is None
+        assert parse_device_code_client_secret('Bearer resource_metadata="https://example.com"') is None
+        assert parse_device_code_client_secret("") is None
+
+    def test_client_discovery_round_trip_with_device_code_client_secret(self) -> None:
+        """Client discovers device_code_client_secret set on server."""
+        server = RpcServer(_EchoService, _EchoImpl())
+        client = make_sync_client(
+            server, signing_key=b"k", oauth_resource_metadata=_METADATA_WITH_DEVICE_CODE_CLIENT_SECRET
+        )
+        meta = http_oauth_metadata(client=client)
+        assert meta is not None
+        assert meta.device_code_client_secret == "device-client-secret"
+
     def test_401_discovery_flow(self) -> None:
         """Full 401-based discovery: get 401, parse header, fetch metadata."""
         _priv, pub = _make_rsa_key()
diff --git a/uv.lock b/uv.lock
diff --git a/vgi_rpc/http/__init__.py b/vgi_rpc/http/__init__.py
@@ -38,6 +38,8 @@
     http_oauth_metadata,
     parse_client_id,
     parse_client_secret,
+    parse_device_code_client_id,
+    parse_device_code_client_secret,
     parse_resource_metadata_url,
     parse_use_id_token_as_bearer,
     request_upload_urls,
@@ -94,6 +96,8 @@
     "make_sync_client",
     "parse_client_id",
     "parse_client_secret",
+    "parse_device_code_client_id",
+    "parse_device_code_client_secret",
     "parse_resource_metadata_url",
     "parse_use_id_token_as_bearer",
     "make_wsgi_app",
diff --git a/vgi_rpc/http/_client.py b/vgi_rpc/http/_client.py
@@ -955,6 +955,11 @@ class OAuthResourceMetadataResponse:
         use_id_token_as_bearer: When ``True``, the client should use the
             OIDC ``id_token`` as the Bearer token instead of the
             ``access_token``.  Custom extension (not in RFC 9728).
+        device_code_client_id: OAuth client_id to use specifically for the
+            device code grant flow.  Custom extension (not in RFC 9728).
+        device_code_client_secret: OAuth client_secret to use specifically
+            for the device code grant flow.  Custom extension (not in
+            RFC 9728).
 
     """
 
@@ -970,6 +975,8 @@ class OAuthResourceMetadataResponse:
     client_id: str | None = None
     client_secret: str | None = None
     use_id_token_as_bearer: bool = False
+    device_code_client_id: str | None = None
+    device_code_client_secret: str | None = None
 
 
 def http_oauth_metadata(
@@ -1024,6 +1031,8 @@ def http_oauth_metadata(
 _CLIENT_ID_RE = re.compile(r'client_id="([^"]+)"')
 _CLIENT_SECRET_RE = re.compile(r'client_secret="([^"]+)"')
 _USE_ID_TOKEN_RE = re.compile(r'use_id_token_as_bearer="([^"]+)"')
+_DEVICE_CODE_CLIENT_ID_RE = re.compile(r'device_code_client_id="([^"]+)"')
+_DEVICE_CODE_CLIENT_SECRET_RE = re.compile(r'device_code_client_secret="([^"]+)"')
 
 
 def parse_resource_metadata_url(www_authenticate: str) -> str | None:
@@ -1100,6 +1109,42 @@ def parse_use_id_token_as_bearer(www_authenticate: str) -> bool:
     return match.group(1) == "true" if match else False
 
 
+def parse_device_code_client_id(www_authenticate: str) -> str | None:
+    """Extract the ``device_code_client_id`` from a ``WWW-Authenticate`` header.
+
+    Parses a ``Bearer`` challenge and returns the ``device_code_client_id``
+    parameter value, or ``None`` if not present.  This is a custom extension
+    (not defined in RFC 9728).
+
+    Args:
+        www_authenticate: The ``WWW-Authenticate`` header value.
+
+    Returns:
+        The device_code_client_id string, or ``None`` if not present.
+
+    """
+    match = _DEVICE_CODE_CLIENT_ID_RE.search(www_authenticate)
+    return match.group(1) if match else None
+
+
+def parse_device_code_client_secret(www_authenticate: str) -> str | None:
+    """Extract the ``device_code_client_secret`` from a ``WWW-Authenticate`` header.
+
+    Parses a ``Bearer`` challenge and returns the ``device_code_client_secret``
+    parameter value, or ``None`` if not present.  This is a custom extension
+    (not defined in RFC 9728).
+
+    Args:
+        www_authenticate: The ``WWW-Authenticate`` header value.
+
+    Returns:
+        The device_code_client_secret string, or ``None`` if not present.
+
+    """
+    match = _DEVICE_CODE_CLIENT_SECRET_RE.search(www_authenticate)
+    return match.group(1) if match else None
+
+
 def _parse_metadata_json(body: dict[str, Any]) -> OAuthResourceMetadataResponse:
     """Parse a JSON dict into an ``OAuthResourceMetadataResponse``.
 
@@ -1126,6 +1171,8 @@ def _parse_metadata_json(body: dict[str, Any]) -> OAuthResourceMetadataResponse:
         client_id=body.get("client_id"),
         client_secret=body.get("client_secret"),
         use_id_token_as_bearer=body.get("use_id_token_as_bearer", False),
+        device_code_client_id=body.get("device_code_client_id"),
+        device_code_client_secret=body.get("device_code_client_secret"),
     )
 
 
diff --git a/vgi_rpc/http/_oauth.py b/vgi_rpc/http/_oauth.py
@@ -51,6 +51,12 @@ class OAuthResourceMetadata:
         use_id_token_as_bearer: When ``True``, tells clients to use the
             OIDC ``id_token`` as the Bearer token instead of the
             ``access_token``.  Custom extension (not defined in RFC 9728).
+        device_code_client_id: OAuth client_id that clients should use
+            specifically for the device code grant flow.  Custom extension
+            (not defined in RFC 9728).
+        device_code_client_secret: OAuth client_secret that clients should
+            use specifically for the device code grant flow.  Custom
+            extension (not defined in RFC 9728).
 
     Raises:
         ValueError: If *resource* is empty or *authorization_servers* is empty.
@@ -69,6 +75,8 @@ class OAuthResourceMetadata:
     client_id: str | None = None
     client_secret: str | None = None
     use_id_token_as_bearer: bool = False
+    device_code_client_id: str | None = None
+    device_code_client_secret: str | None = None
 
     def __post_init__(self) -> None:
         """Validate required fields."""
@@ -86,6 +94,16 @@ def __post_init__(self) -> None:
                 "OAuthResourceMetadata.client_secret must contain only URL-safe characters "
                 "(alphanumeric, hyphen, underscore, period, tilde)"
             )
+        if self.device_code_client_id is not None and not _URL_SAFE_RE.fullmatch(self.device_code_client_id):
+            raise ValueError(
+                "OAuthResourceMetadata.device_code_client_id must contain only URL-safe characters "
+                "(alphanumeric, hyphen, underscore, period, tilde)"
+            )
+        if self.device_code_client_secret is not None and not _URL_SAFE_RE.fullmatch(self.device_code_client_secret):
+            raise ValueError(
+                "OAuthResourceMetadata.device_code_client_secret must contain only URL-safe characters "
+                "(alphanumeric, hyphen, underscore, period, tilde)"
+            )
 
     def to_json_dict(self) -> dict[str, object]:
         """Serialize to a JSON-compatible dict per RFC 9728.
@@ -120,6 +138,10 @@ def to_json_dict(self) -> dict[str, object]:
             d["client_secret"] = self.client_secret
         if self.use_id_token_as_bearer:
             d["use_id_token_as_bearer"] = True
+        if self.device_code_client_id is not None:
+            d["device_code_client_id"] = self.device_code_client_id
+        if self.device_code_client_secret is not None:
+            d["device_code_client_secret"] = self.device_code_client_secret
         return d
 
 
@@ -172,4 +194,8 @@ def _build_www_authenticate(metadata: OAuthResourceMetadata, prefix: str = "/vgi
         challenge += f', client_secret="{metadata.client_secret}"'
     if metadata.use_id_token_as_bearer:
         challenge += ', use_id_token_as_bearer="true"'
+    if metadata.device_code_client_id is not None:
+        challenge += f', device_code_client_id="{metadata.device_code_client_id}"'
+    if metadata.device_code_client_secret is not None:
+        challenge += f', device_code_client_secret="{metadata.device_code_client_secret}"'
     return challenge
