OIDC client secret is not taken into account using device flow

[tailtwo]

Description

It seems that the OIDC client secret is not taken into account when Cosign is using device flow.

./cosign-linux-amd64 -d sign docker.redacted.com/testimage:latest \
--oidc-client-id='sigstore' \
--oidc-issuer='https://keycloak.redacted.com/realms/testrealm' \
--fulcio-url='http://fulcio.redacted.com/' \
--rekor-url='http://rekor.redacted.com/' \
--oidc-client-secret-file='client-credentials.txt' </dev/null >cosign.log 2>&1

Gives me :

Generating ephemeral keys...
Retrieving signed certificate...
Non-interactive mode detected, using device flow.
Error: signing [docker.redacted.com/imagetest:latest]: getting signer: getting key from Fulcio: retrieving cert: 401 Unauthorized: {"error":"unauthorized_client","error_description":"Invalid client or Invalid client credentials"}
main.go:74: error during command execution: signing [docker.redacted.com/imagetest:latest]: getting signer: getting key from Fulcio: retrieving cert: 401 Unauthorized: {"error":"unauthorized_client","error_description":"Invalid client or Invalid client credentials"}

Keycloak log :

2023-09-25 10:09:23,141 WARN  [org.keycloak.events] (executor-thread-158) type=OAUTH2_DEVICE_AUTH_ERROR, realmId=redacted, clientId=sigstore, userId=null, ipAddress=redacted, error=invalid_client_credentials

The specified client (sigstore) does exist inside Keycloak. Client authentication is enabled on Keycloak side with a set Client ID and secret. client-credentials.txt file exists and contains the correct secret. OAuth 2.0 Device Authorization Grant is enabled as well. I was able to sign an image using normal flow, but not with device flow. I found an issue and a merged MR, looks like those are related to my problem? #1309 #1310

Version

GitVersion: v2.2.0
GitCommit: 546f1c5

[haydentherapper]

At a glance this should be passed, user-provided client secrets have been supported for some time. If someone would like to dig into the code and see where the secret isn't getting passed, open to a PR to fix this.

[nkreiger]

@tailtwo did you find a resolution to this? @haydentherapper I'm also seeing this issue for OAUTH2_DEVICE_AUTH_ERROR. The exact same parameters (client id, secret, etc) work fine when running outside of non-interactive mode, however, when running in non-interactive mode, it throws invalid_client_credentials

@haydentherapper I found that the client_secret is not being passed here:

https://github.com/sigstore/sigstore/blob/main/pkg/oauthflow/device.go#L93

which causes an issue with keycloak, however, the issue is moot, because even if its passed correctly, keycloak device flow requires brower interactivity, so it doesn't work anyways.

---

On a separate note @haydentherapper is their any interest in a PR to add client_credentials as another cosign flow? Because the device flow doesn't work with keycloak, I ended up whipping that up, is there a reason that already isn't a flow? Happy to PR it back in -- would rather have it that way.