logo
Sign in
Get started
BLOG/TECHNOLOGY

A brief introduction to OAuth 2.0 device flow

This article explores OAuth 2.0 device flow, a solution for identity authentication on devices that either lack a browser to perform a user-agent-based authorization or are input constrained, outlining its purpose and user interaction flow.
Yijun
YijunDeveloper
December 05, 20234 min read
A brief introduction to OAuth 2.0 device flow

As an authorization framework, OAuth 2.0 is widely used in various scenarios. In the authentication flows provided by OAuth, the most common one is the Authorization Code Flow. When a user authenticate his identity within an application using the Authorization Code Flow, the app will open a browser from the device to access the authorization endpoint, and then the user will input his identifiers (username, email, etc.) and credentials (password, verification code, etc.) to complete the authentication.

However, when a user try to use an app on a device that lacks a browser or even the capability to input their account credentials, how can we perform identity authentication through OAuth 2.0? And this is where the “device flow“ comes into play.

What is OAuth 2.0 device flow

The OAuth 2.0 device flow is an implementation of the OAuth 2.0 protocol designed to support devices that have limited input capabilities or lack a suitable browser. These devices include smart TVs, IoT devices, printers, etc..

Device flow enables users to initiate authorization requests on the mentioned devices, subsequently, user can review the authorization request and complete the user authorization through another device with browser access and input capabilities, such as a smartphone or personal computer.

Also, device flow is often used for CLI tools (like those provided by Stripe, Github, Cloudflare), because CLI tools are often run on operating systems without a graphical interface.

User interaction flow when using device flow

When a user use the device flow for authentication, it mainly includes the following steps:

Auth ServerDevice ClientUser at browserAuth ServerDevice ClientUser at browser(1) Request authorization with client identifier(2) Device code, User code, Verification URI(3) Instruct end user to open the verification URI and enter the user code(4) Start polling for access tokens with device code and client identifier(5) Visit verification URI and enter the device code(6) Redirect the user to the sign in page(7) Complete the sign in flow and signed in(8) Redirect the user to the sign-in success page and instruct the user to close the browser(9) Return access tokens to the client (since the device is polling in step 4)

  1. The device client request authorization from the auth server with a client identifier (usually the client id on the auth server platform).
  2. The auth server responds to the device client with device code, user code and verification URI.
  3. The device client displays the verification URI and user code to the user in the form of text (or a QR code, etc.), instructing the user to visit the URI and enter the code.
  4. At the same time as step 3, the device client start polling for access tokens with device code and client identifier from the auth server and start waiting the user to review the authorization request and complete the user authorization.
  5. The user visits the verification URI hosted by the auth server, via a browser in another device, and enter the user code.
  6. The auth server redirects the user to the sign-in page and instructs the user to complete signing in.
  7. The user completed the sign-in flow and signed in successfully.
  8. The auth server redirects the user to the sign-in success page and instructs the user to close the browser
  9. At the same time as step 8, the auth server returns access tokens to the device client since the client has been polling since step 4.

After these processes, the device client will be able to obtain the access token for subsequent services!

Summary

As you've observed, the OAuth 2.0 device flow provides a user-friendly sign-in method for devices lacking easy input capabilities or a browser. This is crucial for devices such as smart TVs, IoT devices, and CLI tools that runs on a lack graphical interfaces device.

Exciting news awaits as Logto is in the process of supporting the device flow feature. Stay tuned and we'll keep you posted with latest updates.

Try Logto Today
Subscribe Logto newsletters
Stay on top of the latest product updates, development inspirations, blogs, and research prompt.
Email address
Subscribe
Products
Email and SMS passwordlessEnterprise SSO (SAML & OIDC)PasswordMachine-to-machineSocial sign-inManagement APIOmni sign-in experienceProtected AppMulti-factor authenticationIdP for 3rd-party appsUser managementRole-based access controlOrganizations (Multi-tenancy)
Pricing
Pricing plans
Solutions
Consumer appsSaaS productsAI appsEnterprise-readyMulti-app products
Developers
DocumentationAPI referencesSDK guideMigration guide
Resources
BlogBranding assetsYouTube channelSign-in experience assetsNewsletterLogto vs. Auth0Logto vs. ClerkLogto vs. StytchChangelogs
About
Trust and securityAbout us
Designed by Silverhand Inc.
Hosted in the 🇪🇺 EUTerms of usePrivacy policy