Access Management 7.2.2

/oauth2/device/user

Device flow AM-specific endpoint for user interaction. Client devices use this endpoint to exchange a user code with consent from the resource owner to access the resources in the following flows:

You must compose the path to the device user endpoint addressing the specific realm where consent will be granted. For example, https://openam.example.com:8443/openam/oauth2/realms/root/realms/alpha/device/user.

The device user endpoint supports the following parameters:

user_code

Specify the scopes linked to the permissions requested by the client to the resource owner. If not specified, the default scopes specified in the client or the authorization server are requested.

Required: Yes.

csrf

When interacting with the OAuth 2.0 consent page, this parameter helps prevent against cross-site request forgery (CSRF) attacks.

The parameter duplicates the contents of the iPlanetDirectoryPro cookie, which contains the SSO token of the resource owner giving consent.

When using the AM consent pages, this parameter is set in the consent page once the resource owner has authenticated, and it is sent to AM along with the consent.

When replacing AM consent pages with your own consent pages or when trying the flows without a browser, you must set this parameter manually. For an example of a curl command, see the Authorization code grant.

Required: Yes, for calls that are submitting consent response, unless you use the Remote Consent Service to gather consent.

scope

Specify the scopes linked to the permissions requested by the client to the resource owner. If not specified, the default scopes specified in the client or the authorization server are requested.

Required: No.

decision

Specifies whether the resource owner consents to the requested access. Set to allow to grant consent. Any other value denies consent.

Required: Yes, to submit consent on non-interactive calls, unless consent is already saved for the scope.

save_consent

Updates the resource owner’s profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.

Set this parameter to on to save the consent.

To save the consent, you must have configured the Saved Consent Attribute Name property with a profile attribute in which to store the resource owner’s consent decision.

For more information on setting this property in the OAuth 2.0 provider service, see OAuth2 Provider.

Required: No.