OAuth2 for Devices

From IIW

Title: OAuth 2 for Devices

Session: Wednesday, Session 3, Space E

Conference: IIW-11 November 2-4, Mountain View, Complete Notes Page

Convener: Marius S.

Note Taker:Andrew Wansley

Discussion Notes:


What is a device

A device as we're concerned with it here has a display and a limited or painful input. We're explicitly not talking about headless devices, devices with no display and or no input like a refrigerator. These devices as far as we know just run a webserver locally and do the webserver profile.

What's the flow

From the user's perspective, the device displays a URL and code. User goes to URL and enters the code. The device magically works.

From the device's perspective, the device presents AuthZ server with a clientID and gets back a URL a user code which it displays to the user and a device code used for polling. The device then starts polling the AuthZ server which tells it "not yet" for a while then eventually returns yes and a token or no.

AuthZ server has preregistered a device and replies to the device's requests as described above.

The session fixation attack

Trick the user into approving it from a link. Somewhat of a weakness but not a huge threat.

Other sorts of connections

I've already paired my Playstation with my Sony acct. It would be nice if when I add a netflix app it could just pair with Sony's frontend and then that connection could live across devices. In this case we could just do a webserver flow.

Another way to authorize devices is to do bluetooth sharing of credentials. Like I can authorize my photoframe by connecting my android.