A brief introduction to OAuth 2.0 device flow
This article explores OAuth 2.0 device flow, a solution for identity authentication on devices that either lack a browser to perform a user-agent-based authorization or are input constrained, outlining its purpose and user interaction flow.
As an authorization framework, OAuth 2.0 is widely used in various scenarios. In the authentication flows provided by OAuth, the most common one is the Authorization Code Flow. When a user authenticate his identity within an application using the Authorization Code Flow, the app will open a browser from the device to access the authorization endpoint, and then the user will input his identifiers (username, email, etc.) and credentials (password, verification code, etc.) to complete the authentication.
However, when a user try to use an app on a device that lacks a browser or even the capability to input their account credentials, how can we perform identity authentication through OAuth 2.0? And this is where the “device flow“ comes into play.
What is OAuth 2.0 device flow
The OAuth 2.0 device flow is an implementation of the OAuth 2.0 protocol designed to support devices that have limited input capabilities or lack a suitable browser. These devices include smart TVs, IoT devices, printers, etc..
Device flow enables users to initiate authorization requests on the mentioned devices, subsequently, user can review the authorization request and complete the user authorization through another device with browser access and input capabilities, such as a smartphone or personal computer.
Also, device flow is often used for CLI tools (like those provided by Stripe, Github, Cloudflare), because CLI tools are often run on operating systems without a graphical interface.
User interaction flow when using device flow
When a user use the device flow for authentication, it mainly includes the following steps:
- The device client request authorization from the auth server with a client identifier (usually the client id on the auth server platform).
- The auth server responds to the device client with device code, user code and verification URI.
- The device client displays the verification URI and user code to the user in the form of text (or a QR code, etc.), instructing the user to visit the URI and enter the code.
- At the same time as step 3, the device client start polling for access tokens with device code and client identifier from the auth server and start waiting the user to review the authorization request and complete the user authorization.
- The user visits the verification URI hosted by the auth server, via a browser in another device, and enter the user code.
- The auth server redirects the user to the sign-in page and instructs the user to complete signing in.
- The user completed the sign-in flow and signed in successfully.
- The auth server redirects the user to the sign-in success page and instructs the user to close the browser
- At the same time as step 8, the auth server returns access tokens to the device client since the client has been polling since step 4.
After these processes, the device client will be able to obtain the access token for subsequent services!
Summary
As you've observed, the OAuth 2.0 device flow provides a user-friendly sign-in method for devices lacking easy input capabilities or a browser. This is crucial for devices such as smart TVs, IoT devices, and CLI tools that runs on a lack graphical interfaces device.
Exciting news awaits as Logto is in the process of supporting the device flow feature. Stay tuned and we'll keep you posted with latest updates.