Identification, Authentication and Authorization

Device authorization grant (RFC 8628)

In some cases, the user is using a device with no browser to interact with an OAuth client.

  • No HTTP redirections to the Authorization server and back to the client.

  • No user interface.

    • To authenticate the user.

    • To review and authorize the request.

Solution.

  • Use a second device to perform the user authentication and to grant the authorization.

    • e.g. mobile phone, tablet, etc.

  • The client fetches the access token from the Authorization server.

    • Possibly with a refresh token.

PreviousProof Key for Code Exchange (PKCE, RFC 7636)NextActual protocol flow

Last updated