I ran into a problem and can't figure out how to solve it.
ISAM version 9.0.7.2
preToken and postToken scripts almost from template

If I send an "empty" request to device_authorize - everything works (almost perfect, I'm missing id_token in /token, but I can put it there based on the suggestion from https://community.ibm.com/community/user/security/ communities/community-home/digestviewer/viewthread?MessageKey=5098215c-c0a4-4c6d-8cac-79158e825fb9&CommunityKey=e7c36119-46d7-42f2-97a9-b44f0cc89c6d#bm5098215c-c0a4-4c6d-8cac-25)
POST https://idpdev.delta.sbrf.ru/mga/sps/oauth/oauth20/device_authorize?client_id=devicetest
And I get a response:
{
⁣ ⁣ ⁣"user_code": "uo1t-ulcs",
⁣⁣⁣"device_code": "SjIV51ypc304lZnKt4ZUM80tgv5rm0",
⁣ ⁣ ⁣"scope": "",
⁣⁣⁣"interval": 5,
⁣ ⁣ ⁣"verification_uri_complete": "https://idp/mga/sps/oauth/oauth20/user_authorize?user_code=uo1t-ulcs",
⁣ ⁣ ⁣"verification_uri": "https://idp/mga/sps/oauth/oauth20/user_authorize",
⁣⁣⁣"expires_in": 299
}
After entering the login, password and permission confirmation (nothing), I can go to /token or /user_info and get acess_token (or id_token, collected according to the workaround from the article above)

But the standard information about the user is not enough for me, I need to add a scope to call, but then the device flow "turns into a pumpkin"...
POST https://idpdev.delta.sbrf.ru/mga/sps/oauth/oauth20/device_authorize?client_id=devicetest2&scope=openid
I will also get an answer:
{
⁣ ⁣ ⁣"user_code": "uo1t-ulcs",
⁣⁣⁣"device_code": "SjIV51ypc304lZnKt4ZUM80tgv5rm0",
⁣ ⁣ ⁣"scope": "openid",
⁣⁣⁣"interval": 5,
⁣ ⁣ ⁣"verification_uri_complete": "https://idp/mga/sps/oauth/oauth20/user_authorize?user_code=uo1t-ulcs",
⁣ ⁣ ⁣"verification_uri": "https://idp/mga/sps/oauth/oauth20/user_authorize",
⁣⁣⁣"expires_in": 299
}
But now, after entering the login, password and confirming the permission (openid), when I try to go to /token or /user_info, I always see this:
{
"error_description": "FBTOAU256E Pending. The user code is not yet verified.",
"error": "authorization_pending"
}

Suggestion from OAuth: Device Flows - IBM Security Identity and Access

IBM Security Identity and Access		remove preview
OAuth: Device Flows - IBM Security Identity and Access OAuth: Device Flows Introduction to Device Flows As IOT devices become more prevalent, so does the importance of the way these devices interact with user information and the web. These devices often need to call APIs which require authentication, but cannot provide a suitable method of user interaction in order for traditional authentication mechanisms such as username/password. View this on IBM Security Identity and Access >

  doesn't solve the problem

------------------------------
Sergey Leontev
------------------------------

Next step of trace my problem:
invoke Module mode: map
executeStrategyTaskChain ENTRY oauth20:post-map:invoke
execute ENTRY

getRequestTypeFromSTSUU RETURN user_authorize
getGrantTypeFromSTSUU RETURN null
getResponseTypeFromSTSUU RETURN null
execute OAUTH20 Flow: Request Type=user_authorize Grant Type=null ResponseType=null
getStateIdFromSTSUU RETURN uuid1626acbf-0182-12f2-b6a5-a5e9191d8b96
getAccessTokenFromSTSUU RETURN null
getAuthCodeFromSTSUU RETURN null
getRefreshTokenFromSTSUU RETURN null
getClientIdFromSTSUU Found client ID from STSUU: devicetest2
getUserNameFromSTSUU RETURN leontyev-si
getScopeFromSTSUU RETURN [Ljava.lang.String;@1e3a226f
execute Determining route for key: OAUTH20_REQUEST_TYPE with value: user_authorize
execute ENTRY
getInstance() ENTRY
getInstance() RETURN TokenCacheDAOSecureStorageJdbcImpl
updateUsernameForGrant ENTRY uuid1626acbf-0182-12f2-b6a5-a5e9191d8b96 leontyev-si [Ljava.lang.String;@fa264643
execute ENTRY UPDATE OAUTH20_TOKEN_CACHE SET USERNAME = ? , SCOPE = ? ⁣ ⁣WHERE STATE_ID = ?
setPreparedStatementParam ENTRY 1 leontyev-si
setPreparedStatementParam ENTRY 2 [Ljava.lang.String;@fa264643
setPreparedStatementParam Can not set param of type: class [Ljava.lang.String;
setPreparedStatementParam ENTRY 3 uuid1626acbf-0182-12f2-b6a5-a5e9191d8b96
setPreparedStatementParam RETURN
execute org.postgresql.util.PSQLException: No value specified for parameter 2.
at org.postgresql.core.v3.SimpleParameterList.checkAllParametersSet(SimpleParameterList.java:270)
at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:296)

For some reason, the process is trying to shove a reference to an object instead of a string representation of scopes. Has anyone come across a similar issue and been able to resolve it?

------------------------------
Sergey Leontev
------------------------------

Original Message:
Sent: Tue July 12, 2022 05:59 AM
From: Sergey Leontev
Subject: OAuth: scope on Device Flows

I ran into a problem and can't figure out how to solve it.
ISAM version 9.0.7.2
preToken and postToken scripts almost from template

If I send an "empty" request to device_authorize - everything works (almost perfect, I'm missing id_token in /token, but I can put it there based on the suggestion from https://community.ibm.com/community/user/security/ communities/community-home/digestviewer/viewthread?MessageKey=5098215c-c0a4-4c6d-8cac-79158e825fb9&CommunityKey=e7c36119-46d7-42f2-97a9-b44f0cc89c6d#bm5098215c-c0a4-4c6d-8cac-25)
POST https://idpdev.delta.sbrf.ru/mga/sps/oauth/oauth20/device_authorize?client_id=devicetest
And I get a response:
{
⁣ ⁣ ⁣"user_code": "uo1t-ulcs",
⁣⁣⁣"device_code": "SjIV51ypc304lZnKt4ZUM80tgv5rm0",
⁣ ⁣ ⁣"scope": "",
⁣⁣⁣"interval": 5,
⁣ ⁣ ⁣"verification_uri_complete": "https://idp/mga/sps/oauth/oauth20/user_authorize?user_code=uo1t-ulcs",
⁣ ⁣ ⁣"verification_uri": "https://idp/mga/sps/oauth/oauth20/user_authorize",
⁣⁣⁣"expires_in": 299
}
After entering the login, password and permission confirmation (nothing), I can go to /token or /user_info and get acess_token (or id_token, collected according to the workaround from the article above)

But the standard information about the user is not enough for me, I need to add a scope to call, but then the device flow "turns into a pumpkin"...
POST https://idpdev.delta.sbrf.ru/mga/sps/oauth/oauth20/device_authorize?client_id=devicetest2&scope=openid
I will also get an answer:
{
⁣ ⁣ ⁣"user_code": "uo1t-ulcs",
⁣⁣⁣"device_code": "SjIV51ypc304lZnKt4ZUM80tgv5rm0",
⁣ ⁣ ⁣"scope": "openid",
⁣⁣⁣"interval": 5,
⁣ ⁣ ⁣"verification_uri_complete": "https://idp/mga/sps/oauth/oauth20/user_authorize?user_code=uo1t-ulcs",
⁣ ⁣ ⁣"verification_uri": "https://idp/mga/sps/oauth/oauth20/user_authorize",
⁣⁣⁣"expires_in": 299
}
But now, after entering the login, password and confirming the permission (openid), when I try to go to /token or /user_info, I always see this:
{
"error_description": "FBTOAU256E Pending. The user code is not yet verified.",
"error": "authorization_pending"
}

Suggestion from OAuth: Device Flows - IBM Security Identity and Access

IBM Security Identity and Access		remove preview
OAuth: Device Flows - IBM Security Identity and Access OAuth: Device Flows Introduction to Device Flows As IOT devices become more prevalent, so does the importance of the way these devices interact with user information and the web. These devices often need to call APIs which require authentication, but cannot provide a suitable method of user interaction in order for traditional authentication mechanisms such as username/password. View this on IBM Security Identity and Access >

  doesn't solve the problem

------------------------------
Sergey Leontev
------------------------------