EDIT 2:
I may be completely off in trying to work with a Device Authorization Code flow and this is just an XY problem.
I want Users of my app to be able to authenticate using a native desktop app. The app is actually an extension for a 3rd party app, so I don’t have full control of the code, just the extension and its limited capabilities.
I want users to login in from their browser, and pass some secret to the native app so that it can “pair” them with their identity. So that next time they open that extension, the extension can send data to the server on my app, and my server will be able to verify their identity (the extension user’s idetity).
Following the guide here:
I reach a point where the user has logged in and confirmed the user_code
for their device_code
. Now I make the following request to retrieve a token:
curl --request POST \
--url 'https://myorg.us.auth0.com/oauth/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--data grant_type=urn:ietf:params:oauth:grant-type:device_code \
--data device_code=AAAA-AAAA \
--data 'client_id=aaaaaaa'
This returns a response similar to the following:
{"access_token":"asdfghjdfghjfghj_aar","scope":"","expires_in":86400,"token_type":"Bearer"}
The access_token
value is not a JWT, it’s a rather short string similar to the example above.
How can I validate this token when it is presented by a client? How can I find which user generated it and what permissions/scopes that user has?
Also, the docs state that:
“Public applications cannot use the
client_credentials
grant type. To use this grant type, you must indicate that the application is confidential rather than public. Use the Management API to set thetoken_endpoint_auth_method
toclient_secret_post
orclient_secret_basic
.”
Where can I read more about this? Would it be unusual for a Native App with Device Authorization flow to be “confidential”?
Thanks for any help.
EDIT:
I just saw this question which linked to this FAQ:
From this I can see that if I GET https://myorg.us.auth0.com/userinfo
with the opqaue token, then I receive a response, but it only shows me a JSON object containing the API URL and an array of Roles.
{"https://myapi/api/v1/roles":["Some Role"]}
What should I be doing do get this endpoint to display permissions, user details, etc.?