fix: delete oidc session when used

handler/openid/flow_device_token.go

@@ -26,7 +26,7 @@ func (c *OpenIDConnectDeviceHandler) PopulateTokenEndpointResponse(ctx context.C
 	}
 
 	deviceCode := requester.GetRequestForm().Get("device_code")
-	signature, err := c.DeviceCodeStrategy.DeviceCodeSignature(ctx, deviceCode)
+	signature, _ := c.DeviceCodeStrategy.DeviceCodeSignature(ctx, deviceCode)
 	ar, err := c.OpenIDConnectRequestStorage.GetOpenIDConnectSession(ctx, signature, requester)
 	if errors.Is(err, ErrNoSessionFound) {
 		return errorsx.WithStack(fosite.ErrUnknownRequest.WithWrap(err).WithDebug(err.Error()))
@@ -49,6 +49,11 @@ func (c *OpenIDConnectDeviceHandler) PopulateTokenEndpointResponse(ctx context.C
 		return errorsx.WithStack(fosite.ErrServerError.WithDebug("Failed to generate id token because subject is an empty string."))
 	}
 
+	err = c.OpenIDConnectRequestStorage.DeleteOpenIDConnectSession(ctx, deviceCode)
+	if err != nil {
+		return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error()))
+	}
+
 	claims.AccessTokenHash = c.GetAccessTokenHash(ctx, requester, responder)
 
 	idTokenLifespan := fosite.GetEffectiveLifespan(requester.GetClient(), fosite.GrantTypeDeviceCode, fosite.IDToken, c.Config.GetIDTokenLifespan(ctx))

handler/openid/flow_device_token_test.go

@@ -218,6 +218,7 @@ func TestDeviceToken_PopulateTokenEndpointResponse(t *testing.T) {
 					},
 				}
 				store.EXPECT().GetOpenIDConnectSession(gomock.Any(), gomock.Any(), areq).Return(authreq, nil)
+				store.EXPECT().DeleteOpenIDConnectSession(gomock.Any(), gomock.Any()).Return(nil)
 			},
 			check: func(t *testing.T, aresp *fosite.AccessResponse) {
 				assert.NotEmpty(t, aresp.GetExtra("id_token"))