OAuth 2.0 Device Profile


OAuth 2.0 Device Profile is defined (As far as we know) only in OAuth 2.0 Device Profile draft-recordon-oauth-v2-device-00.

The OAuth 2.0 Device Profile is suitable for clients executing on devices which do not have an easy data-entry method (e.g. game consoles or media hubs), but where the end-user has separate access to a user-agent on another computer or device (e.g. home computer, a laptop, or a smart phone). The clients is incapable of receiving incoming requests from the Authorization Server (incapable of acting as an HTTP server).

OAuth 2.0 Device Profile was replaced by OAuth 2.0 Device Authorization Grant

Instead of interacting with the end-user's user-agent, the clients instructs the end-user to use another computer or device and connect to the Authorization Server to approve the access request. Since the clients cannot receive incoming requests, it polls the Authorization Server repeatedly until the end-user completes the approval process.

The OAuth 2.0 Device Profile does not utilize the client Secret since the client executables reside on a local device which makes the client Secret accessible and exploitable.

Chromecast and OAuth 2.0[1]#

It appears Chromecast makes use of OAuth 2.0 Device Profile

OAuth 2.0 Device Profile

More Information#

There might be more information for this subject on one of the following: ...nobody