Device authorization through mobile applications
In addition to initiating a regular OAuth authorization flow, mobile applications and single-page web applications can use the authentication API to initiate and complete the user authorization side of the OAuth device authorization flow.
There are a few differences between this case and the non-device case:
-
You don’t need to select Allow Authentication API Redirectless Mode on the Client window for the OAuth device client because the mobile or single-page web application doesn’t receive tokens at the end of the flow.
-
For the same reason, in the case of web applications, you don’t need to enable Allow Redirectless Mode on the Authentication Application window when configuring the authentication API application.
-
The initial request is made to the user authorization endpoint
/as/user_authz.oauth2
rather than/as/authorization.oauth2
. As with the non-device flow, you must specifypi.flow
for theresponse_mode
. Optionally, the initial request can also provide theuser_code
. This endpoint doesn’t need any other parameters. -
At the end of the flow, the
OAUTH_DEVICE_COMPLETED
state is returned to the API client. This response doesn’t include an authorization code or tokens.
As with the non-device flow, you must select Bypass Authorization Approval on the Client window for the device client because the PingFederate authentication API does not yet support the OAuth consent approval step.
The models and actions for the OAUTH_DEVICE_USER_CODE_REQUIRED
, OAUTH_DEVICE_USER_CODE_CONFIRMATION_REQUIRED
, and OAUTH_DEVICE_COMPLETED
states are documented in the Authentication API Explorer under the PingFederate Core adapter.