Device code flow
(Also known as device flow and RFC 8628)
This type of authentication flow is useful for devices with limited input abilities and/or devices without browsers.
This device flow is only possible if the active tenant has a device code flow setup. This device code flow is run after the user logs in, and before the user authenticates.
The flow is initiated by sending a POST request to the device authorization endpoint,
/application/o/device/ with the following contents:
POST /application/o/device/ HTTP/1.1
scopes=openid email my-other-scope
The response contains the following fields:
device_code: Device code, which is the code kept on the device
verification_uri: The URL to be shown to the enduser to input the code
verification_uri_complete: The same URL as above except the code will be prefilled
user_code: The raw code for the enduser to input
expires_in: The total seconds after which this token will expire
interval: The interval in seconds for how often the device should check the token status
With this response, the device can start checking the status of the token by sending requests to the token endpoint like this:
POST /application/o/token/ HTTP/1.1
If the user has not opened the link above yet, or has not finished the authentication and authorization yet, the response will contain an
error element set to
authorization_pending. The device should re-send the request in the interval set above.
If the user has finished the authentication and authorization, the response will be similar to any other generic OAuth2 Token request, containing