OAuth 2.0 Device Profile is defined (As far as we know) only in OAuth 2.0 Device Profile draft-recordon-oauth-v2-device-00.

The OAuth 2.0 Device Profile is suitable for clients executing on devices which do not have an easy data-entry method (e.g. game consoles or media hubs), but where the end-user has separate access to a user-agent on another computer or device (e.g. home computer, a laptop, or a smart phone). The clients is incapable of receiving incoming requests from the Authorization Server (incapable of acting as an HTTP server).

Instead of interacting with the end-user's user-agent, the clients instructs the end-user to use another computer or device and connect to the Authorization Server to approve the access request. Since the clients cannot receive incoming requests, it polls the Authorization Server repeatedly until the end-user completes the approval process.

The OAuth 2.0 Device Profile does not utilize the client Secret since the client executables reside on a local device which makes the client Secret accessible and exploitable.

Chromecast and OAuth 2.0[1]#

It appears Chromecast makes use of OAuth 2.0 Device Profile

OAuth 2.0 Device Profile

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.

List of attachments

Kind Attachment Name Size Version Date Modified Author Change note
Who-Am-I-sequence-full.png 64.0 kB 1 06-Nov-2015 13:54 jim Oauth Device Profile
« This page (revision-6) was last changed on 06-Nov-2015 13:57 by jim