Overview#
OAuth 2.0 Device Profile is defined (As far as we know) only in OAuth 2.0 Device Profile draft-recordon-oauth-v2-device-00
.
The OAuth 2.0 Device Profile is suitable for clients executing on devices which do not have an easy data-entry method (e.g. game consoles or media hubs), but where the end-user has separate access to a user-agent on another computer or device (e.g. home computer, a laptop, or a smart phone). The clients is incapable of receiving incoming requests from the Authorization Server (incapable of acting as an HTTP server).
Instead of interacting with the end-user's user-agent, the clients instructs the end-user to use another computer or device and connect to the Authorization Server to approve the access request. Since the clients cannot receive incoming requests, it polls the Authorization Server repeatedly until the end-user completes the approval process.
The OAuth 2.0 Device Profile does not utilize the client Secret since the client executables reside on a local device which makes the client Secret accessible and exploitable.
Chromecast and OAuth 2.0[1]#
It appears Chromecast makes use of OAuth 2.0 Device Profile
 |
More Information#
There might be more information for this subject on one of the following: ...nobody- [#1] - “Who Am I” in the Internet of Things? - based on information obtained 2015-11-06