OAUTH2 Device Profile

From IIW

Session Topic: OAuth 2.0 Device Profile (T5E)

Convener: Marius Scurtescu

Notes-taker(s): Andrew Wansley

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

What is the device profile?

  • Similar to netflix pairing 
  • Device has a display, but no or a painful input
  • Device gets a user code and device code
  • Device says "go to URL and enter <user code>"
  • User goes to browser, enters code at URL, sees a consent page, approves
  • Device meanwhile polls AS, gets a code, refresh token

Use a QR code?

  • Possible, but UX issues
  • People may not have active sessions on their phone, so browser might be easier

Implementation issues

  • Google ended up creating separate endpoints
  • Devices poll today @FB/G, could just check once
  • one URL/client_id vs generic URL and globally unique codes
  • 30m user code expiry time
  • Session fixation attack theoretically possible, odd UX mitigates
  • Client apps could use this flow

How is it modeled?

  • grant_type=device_code

Mis-binding

  • Devices could show the user id

Account sharing

  • other ways of solving

Spec

  • Probably refresh Recordon's spec

Code length

  • 6-8, variable
  • could use words