OAUTH2 Device Profile
From IIW
Session Topic: OAuth 2.0 Device Profile (T5E)
Convener: Marius Scurtescu
Notes-taker(s): Andrew Wansley
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
What is the device profile?
- Similar to netflix pairing
- Device has a display, but no or a painful input
- Device gets a user code and device code
- Device says "go to URL and enter <user code>"
- User goes to browser, enters code at URL, sees a consent page, approves
- Device meanwhile polls AS, gets a code, refresh token
Use a QR code?
- Possible, but UX issues
- People may not have active sessions on their phone, so browser might be easier
Implementation issues
- Google ended up creating separate endpoints
- Devices poll today @FB/G, could just check once
- one URL/client_id vs generic URL and globally unique codes
- 30m user code expiry time
- Session fixation attack theoretically possible, odd UX mitigates
- Client apps could use this flow
How is it modeled?
- grant_type=device_code
Mis-binding
- Devices could show the user id
Account sharing
- other ways of solving
Spec
- Probably refresh Recordon's spec
Code length
- 6-8, variable
- could use words