From c778674a72cd21f33f879a7a23d29075d9262c68 Mon Sep 17 00:00:00 2001
From: Nikos <nikos.sklikas@canonical.com>
Date: Mon, 18 Nov 2024 11:25:36 +0200
Subject: [PATCH] fix: do not create openid session on device auth request

---
 handler/openid/flow_device_auth.go | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/handler/openid/flow_device_auth.go b/handler/openid/flow_device_auth.go
index efeb2115..5bf8333b 100644
--- a/handler/openid/flow_device_auth.go
+++ b/handler/openid/flow_device_auth.go
@@ -25,6 +25,9 @@ type OpenIDConnectDeviceHandler struct {
 }
 
 func (c *OpenIDConnectDeviceHandler) HandleDeviceEndpointRequest(ctx context.Context, dar fosite.DeviceRequester, resp fosite.DeviceResponder) error {
+	// We don't want to create the openid session on this call, because we don't know if the user
+	// will actually complete the flow and give consent. The implementer MUST call the CreateOpenIDConnectSession
+	// methods when the user logs in to instantiate the session.
 	if !(dar.GetRequestedScopes().Has("openid")) {
 		return nil
 	}
@@ -37,14 +40,5 @@ func (c *OpenIDConnectDeviceHandler) HandleDeviceEndpointRequest(ctx context.Con
 		return errorsx.WithStack(fosite.ErrMisconfiguration.WithDebug("The device code has not been issued yet, indicating a broken code configuration."))
 	}
 
-	signature, err := c.DeviceCodeStrategy.DeviceCodeSignature(ctx, resp.GetDeviceCode())
-	if err != nil {
-		return err
-	}
-
-	if err := c.OpenIDConnectRequestStorage.CreateOpenIDConnectSession(ctx, signature, dar.Sanitize(oidcParameters)); err != nil {
-		return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error()))
-	}
-
 	return nil
 }