Understanding OAuth 2.0 Device Authorization Flow (RFC 8628)

OAuth 2.0 Device Authorization (Device Flow)

Using a TV login and a mobile device for authorization as an example.

Definition of Device Authorization

RFC 8628, published by the IETF in August 2019, defines a device flow that allows API clients running on devices without a web browser or with limited input capability to obtain access tokens with end‑user consent.

Request Flow

The user employs a device with a web browser (PC, smartphone, tablet) while the client (e.g., TV, appliance) is a device that can make outbound Internet connections. The authorization server (e.g., a streaming service) exposes a device‑authorization endpoint.

The OAuth 2.0 Device Authorization flow proceeds as follows:

Client (device) sends a device‑authorization request to the server’s endpoint.

Authorization server returns a response containing key parameters:

user_code – the value the user will enter on the verification page.

device_code – the value the client uses to poll for a token.

Client displays the user_code to the user.

Client simultaneously runs two processes:

Polls the token endpoint using the device_code until an access token is returned or an error occurs.

User opens a web browser, navigates to the verification URL, enters the user_code, authenticates, and authorizes the client.

Authorization server validates the user_code, issues an access token, and returns it in response to the device_code’s token request.

The client receives the authorized access token and can make API calls.

Example Invocation

Video Demonstration