PingOne Advanced Identity Cloud

/oauth2/device/user

This is the Device authorization grant endpoint for user interaction.

Client devices use this endpoint to confirm the resource owner’s consent in the following flows:

Specify the realm in the request URL; for example:

https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/device/user

The device user endpoint supports the following parameters:

Parameter Description Required

csrf

The SSO token string linking the request to the user session to protect against Cross-Site Request Forgery attacks.

Yes, when gathering consent without a remote consent service

decision

Whether the resource owner consents to the requested access.

Yes, when gathering consent unless consent is already saved for the scope

save_consent

Whether to store a resource owner’s consented scopes.

No

scope

The scopes linked to the permissions requested by the client from the resource owner.

No

user_code

The user code confirmed by the resource owner.

The endpoint checks for the user_code on the initial request and uses it to retrieve the associated device code to determine if any ACRs were requested. If ACRs were requested, the user authenticates through the specified authentication journey.

If a user accesses the endpoint without supplying a user_code, the user authenticates through the default authentication journey. If that journey doesn’t match the ACRs required by the device request, the user is prompted to reauthenticate after entering the code.

Yes