A Comprehensive Guide to Device Authorization Grants

The Device Authorization feature is an OAuth 2.0 grant type. It allows users to sign in to input-constrained devices, such as smart TVs, digital picture frames, and printers, and devices with no browser.

Sat Apr 20, 2024

Join our community!

What you'll learn

Understanding of Device Authorization Grants
Industry wide uses of Device Authorization Grant
Configuration of Native applications in Okta

Overview of Device Authorization

The Device Authorization is one of the trending and widely used OAuth 2.0 grant type. It is used by devices such as Smart TVs, digital picture frames, printers or devices which do not inhibit browser capabilities. This grant type lets you use a secondary trusted device, such as laptop or mobile phone, to complete sign-in to apps.

How it works

Device authorization starts when you would like to authenticate to an application on a device like Smart TV, for example "Netflix". So when Netflix app is launched on this device it communicates with OAuth Provider and fetches an user verification code and activation url, like below -

You will then need to go to the requested activation url using secondary device like your mobile phone or laptop and input the user verification code as shown in the image.

Activation URL: netflix.com/tv8

User Verification Code: 2261-49*

Netflix on Smart TV now exchange this user verification code with OAuth provider and generate an access token and yay! you are authenticated.

Process Flow

Configure Native App in Okta

Device Authorization Grant is available for Native applications in Okta. It is available under both Classic and Identity Engine.

Native App Configuration

In Okta Admin Console, go to Applications → Applications.
Select Create App Integration → OIDC. In the platform selection, select Native
Configure the application with "Sign In Redirect URI"

Grant Exchange with Authorization Server

Obtain User verification code and URL

▞ Requesting User Verification Code

curl --request POST

  --url https://${yourOktaDomain}/oauth2/default/v1/device/authorize \

  --header 'Accept: application/json' \

  --header 'Content-Type: application/x-www-form-urlencoded' \

  --data-urlencode 'client_id=${clientId}' \

  --data-urlencode 'scope=openid profile offline_access'

▞ Response from authorization Server

{

    "device_code": "4ebdb4de-1f8b-4497-be01-ddfaf83c4e9c",

    "user_code": "MHXTFRPK",

    "verification_uri": "https://{yourOktaDomain}/activate",

    "verification_uri_complete": "https://{yourOktaDomain}/activate?user_code=MHXTFRPK",

    "expires_in": 600,

    "interval": 5

  }

Obtain access token

▞ Token request to exchange verification code

curl --request POST \

  --url https://${yourOktaDomain}/oauth2/default/v1/token \

  --header 'Accept: application/json' \

  --header 'Content-Type: application/x-www-form-urlencoded' \

  --data-urlencode 'client_id=${clientId}' \

  --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:device_code' \

  --data-urlencode 'device_code=${deviceCode}'

▞ Response from authorization Server

{

  "token_type": "Bearer",

  "expires_in": 3600,

  "access_token": "eyJraWQ...JQuDJh8g",

  "scope": "openid profile offline_access",

  "refresh_token": "zcLdr1FBXwtI9ej98VVVwtjDd-SmaoL06qr_UcY2tNA",

  "id_token": "eyJraWQ...WI6KR0aQ"

}

Sumit Kumar Tiwari
An Okta enthusiast and consultant with experience in implementing IAM solutions for businesses of all scale.

A Comprehensive Guide to Device Authorization Grants

What you'll learn

Overview of Device Authorization

How it works

Process Flow

Configure Native App in Okta

Native App Configuration

Grant Exchange with Authorization Server

Obtain User verification code and URL

▞ Requesting User Verification Code

▞ Response from authorization Server

Obtain access token

▞ Token request to exchange verification code

▞ Response from authorization Server

You may also be interested in