A brief introduction to OAuth 2.0 device flow

This article explores OAuth 2.0 device flow, a solution for identity authentication on devices that either lack a browser to perform a user-agent-based authorization or are input constrained, outlining its purpose and user interaction flow.

Yijun

Developer

12/5/20232 min read

Stop wasting weeks on user auth

Launch secure apps faster with Logto. Integrate user auth in minutes, and focus on your core product.

Get started

As an authorization framework, OAuth 2.0 is widely used in various scenarios. In the authentication flows provided by OAuth, the most common one is the Authorization Code Flow. When a user authenticate his identity within an application using the Authorization Code Flow, the app will open a browser from the device to access the authorization endpoint, and then the user will input his identifiers (username, email, etc.) and credentials (password, verification code, etc.) to complete the authentication.

However, when a user try to use an app on a device that lacks a browser or even the capability to input their account credentials, how can we perform identity authentication through OAuth 2.0? And this is where the “device flow“ comes into play.

What is OAuth 2.0 device flow

The OAuth 2.0 device flow is an implementation of the OAuth 2.0 protocol designed to support devices that have limited input capabilities or lack a suitable browser. These devices include smart TVs, IoT devices, printers, etc..

Device flow enables users to initiate authorization requests on the mentioned devices, subsequently, user can review the authorization request and complete the user authorization through another device with browser access and input capabilities, such as a smartphone or personal computer.

Also, device flow is often used for CLI tools (like those provided by Stripe, Github, Cloudflare), because CLI tools are often run on operating systems without a graphical interface.

User interaction flow when using device flow

When a user use the device flow for authentication, it mainly includes the following steps:

The device client request authorization from the auth server with a client identifier (usually the client id on the auth server platform).
The auth server responds to the device client with device code, user code and verification URI.
The device client displays the verification URI and user code to the user in the form of text (or a QR code, etc.), instructing the user to visit the URI and enter the code.
At the same time as step 3, the device client start polling for access tokens with device code and client identifier from the auth server and start waiting the user to review the authorization request and complete the user authorization.
The user visits the verification URI hosted by the auth server, via a browser in another device, and enter the user code.
The auth server redirects the user to the sign-in page and instructs the user to complete signing in.
The user completed the sign-in flow and signed in successfully.
The auth server redirects the user to the sign-in success page and instructs the user to close the browser
At the same time as step 8, the auth server returns access tokens to the device client since the client has been polling since step 4.

After these processes, the device client will be able to obtain the access token for subsequent services!

Summary

As you've observed, the OAuth 2.0 device flow provides a user-friendly sign-in method for devices lacking easy input capabilities or a browser. This is crucial for devices such as smart TVs, IoT devices, and CLI tools that runs on a lack graphical interfaces device.

Exciting news awaits as Logto is in the process of supporting the device flow feature. Stay tuned and we'll keep you posted with latest updates.

Try Logto Today

What is OAuth 2.0 device flow

Also, device flow is often used for CLI tools (like those provided by Stripe, Github, Cloudflare), because CLI tools are often run on operating systems without a graphical interface.

User interaction flow when using device flow

When a user use the device flow for authentication, it mainly includes the following steps:

The device client request authorization from the auth server with a client identifier (usually the client id on the auth server platform).

The auth server responds to the device client with device code, user code and verification URI.

The device client displays the verification URI and user code to the user in the form of text (or a QR code, etc.), instructing the user to visit the URI and enter the code.

At the same time as step 3, the device client start polling for access tokens with device code and client identifier from the auth server and start waiting the user to review the authorization request and complete the user authorization.

The user visits the verification URI hosted by the auth server, via a browser in another device, and enter the user code.

The auth server redirects the user to the sign-in page and instructs the user to complete signing in.

The user completed the sign-in flow and signed in successfully.

The auth server redirects the user to the sign-in success page and instructs the user to close the browser

At the same time as step 8, the auth server returns access tokens to the device client since the client has been polling since step 4.

After these processes, the device client will be able to obtain the access token for subsequent services!

Summary

Exciting news awaits as Logto is in the process of supporting the device flow feature. Stay tuned and we'll keep you posted with latest updates.

What is OAuth 2.0 device flow#

User interaction flow when using device flow#

Summary#

What is OAuth 2.0 device flow#

User interaction flow when using device flow#

Summary#

What is OAuth 2.0 device flow

User interaction flow when using device flow

Summary

What is OAuth 2.0 device flow

User interaction flow when using device flow

Summary