jspωiki
OAuth 2.0 Device Authorization Grant

Overview[1][2]#

OAuth 2.0 Device Authorization Grant is defined in RFC 8628 and is an OAuth 2.0 Protocol Flow for browserless and other Input-constrained devices that enables OAuth Clients to request user authorization from devices that have an internet connection, but don't have an easy input method (such as a smart TV, media console, picture frame, or printer), or lack a suitable browser for a more traditional OAuth flow.

This authorization flow instructs the user to perform the Authentication Request on a secondary device, such as a Mobile Device.

OAuth 2.0 Device Authorization Grant is not intended to replace browser-based OAuth in Native applications on capable devices (like smartphones). Those apps should follow the practices specified in OAuth 2.0 for Native Apps RFC 8252.

The only requirements to use OAuth 2.0 Device Authorization Grant are that the device is connected to the Internet, and able to make outbound HTTPS requests, be able to display or otherwise communicate a URI and code sequence to the user, and that the user has a secondary device (e.g., personal computer or smartphone) from which to process the request. There is no requirement for two-way communication between the OAuth Client and the user-agent, enabling a broad range of Use cases.

Instead of interacting with the end-user's user-agent, the client instructs the end-user to use another computer or device and connect to the authorization server to approve the access request. Since the client cannot receive incoming requests, it polls the authorization server repeatedly until the end-user completes the approval process.

OAuth 2.0 Device Authorization Grant instructs the user to perform the Authorization Request on a secondary device, such as a smartphone.

OAuth 2.0 Device Authorization Grant known Implementations:

More Information#

There might be more information for this subject on one of the following: