8

Logging in with a username/password can be annoying on non-keyboard devices (game consoles, Rokus, etc). Many media apps on these devices improve on this process by letting me activate my device on my account via these steps:

  1. I download and open the app on my device. It displays a 6-character code.
  2. I log into the web version on my laptop and go to a special device-activation page (e.g. https://secure.hulu.com/activate ).
  3. The activation page has an input for the code displayed on my device. I enter the code in, and after that my device is associated with my account.

Is there a name for this protocol? I would like to implement it or find a library that implements it, but I don't know what it's called, if anything.

incidentist
  • 183
  • 2

1 Answers1

4

It's the OAuth 2.0 device code flow. It goes something like this:

  1. The device makes a request to the authorization server's device code endpoint
  2. The authorization server responds with a code to show to the user and a URL where they should enter that code
  3. The device displays the code and URL to the user
  4. The device begins periodically polling the authorization server's token endpoint
  5. The user visits the provided URL and provides their credentials along with the code given to them
  6. The next time the device polls the authorization server's token endpoint the authorization server responds with an access token that the device can use to authenticate to the protected resource

Here's a diagram from the current draft RFC describing the flow:

  +----------+                                +----------------+
  |          |>---(A)-- Client Identifier --->|                |
  |          |                                |                |
  |          |<---(B)-- Device Code,      ---<|                |
  |          |          User Code,            |                |
  |  Device  |          & Verification URI    |                |
  |  Client  |                                |                |
  |          |  [polling]                     |                |
  |          |>---(E)-- Device Code,      --->|                |
  |          |          & Client Identifier   |                |
  |          |                                |  Authorization |
  |          |<---(F)-- Access Token      ---<|     Server     |
  +----------+   (& Optional Refresh Token)   |                |
        v                                     |                |
        :                                     |                |
       (C) User Code & Verification URI       |                |
        :                                     |                |
        v                                     |                |
  +----------+                                |                |
  | End user |                                |                |
  |    at    |<---(D)-- End user reviews  --->|                |
  |  Browser |          authorization request |                |
  +----------+                                +----------------+

                Figure 1: Device Authorization Flow

Since the device code flow is still just a draft, not a lot of OAuth 2.0 libraries have support for it, nor do all OAuth 2.0 identity providers. Luckily the protocol is pretty straightforward, so it shouldn't be too hard to build from scratch given a decent HTTP library. There's also a proxy server out there that can implement the device code flow on top of an existing OAuth 2.0 authorization server.

Community
  • 1
Miles Budnek
  • 285
  • 1
  • 5