Device Authorization Grant support

[solevic]

Checklist

• I read the Contribution Guidelines
• I signed the CLA and WG Agreements
• I ran, updated and added unit tests as necessary.
• I verified the contribution matches existing coding style.
• I updated the documentation if necessary.

Motivation and Context

As described in issue #675, AppAuth-Android does not currently support authentication for Android devices that either lack a browser or have limited input capabilities to fully perform the traditional authentication flow. Adding support of the extension Device Authorization Grant as described in RFC 8628 would allow such devices to obtain tokens from the authorization server with the help of a secondary device with browser and common input capabilities.

Description

The implementation follows the Device Authorization Grant - RFC 8628 and exposes the following:

• A DeviceAuthorizationRequest with its associated DeviceAuthorizationResponse
• The additional grant type urn:ietf:params:oauth:grant-type:device_code in the TokenRequest Builder
• Methods to perform the device authorization and token polling in the AuthorizationService
• Helper methods in AuthState to properly handle the new authorization states

As of today, there is no proper way for the user to sign off from devices without a browser, as this would require the extension Token Revocation - RFC 7009 that I would gladly implement after this one.

[caspernpo]

Just wondering, is there any progress on this PR?

[Arifin-pixel]

tes h&h ArFN Deso
_github-pages-challenge-Arifin-pixel
code
43b6a478fba98c2ae1ab7a1fc08832

[davidngoshadow]

Is there any update about this PR ?

[maxrimmer]

Any news on this?

[TheNetStriker]

I've just tested this and it works.

I only found a typo in the readme:

authService.performTokenPollRequestRequest has to times Request at the end, it should be
authService.performTokenPollRequest

Any update when this will be implemented?