In this scenario, a user attempts to access a protected resource through a device client that lacks a browser or has limited user-input capabilities. For example, a smart TV, digital picture frame, or printer. The OAuth device authorization grant type allows a user to grant authorization to the device client using a browser on a second device, such as a smart phone or a computer. For more information about the grant type, see the OAuth 2.0 Device Authorization Grant specification.

OAuth device authorization grant

Processing steps

  1. The device sends a device authorization request to PingFederate, the authorization server (AS) at its device authorization endpoint.
  2. PingFederate returns a device authorization response. Among other parameters, the response contains a device code, a user code, a user authorization endpoint, and a user authorization endpoint with the user code in a query parameter.
  3. The device provides the user authorization endpoint (with or without the user code in a query parameter), the user code, and instructions to the user. For example:
    Using a browser on another device, visit:
    Enter the code:
  4. The device starts sending device access token requests to PingFederate at its token endpoint to poll whether the user has completed the authorization process.

    The device must include in its access token request the device authorization grant type (urn:ietf:params:oauth:grant-type:device_code), the device code, and the user code.

    For each device access token request it receives, PingFederate returns a device access token response; the payload varies depending on the authorization status.

  5. The user completes the authorization process by performing the following actions:
    1. Go to the user authorization endpoint on a second device that has a browser, such as a smartphone or a computer.
    2. Fulfill the authentication requirements.
    3. Enter the user code or confirm a pre-populated user code.
    4. Approve (or deny) the scope of permissions requested by the device.
  6. The device continues polling PingFederate for an authorization status.
  7. PingFederate validates the user code and provides the device with an access token in the device access token response.

    (If the user denies the scope of permissions, PingFederate provides the device with a relevant error message in the device access token response.)

  8. The device provides the access token to the resource server (RS) to access protected resources.
  9. The RS validates the access token.
  10. The RS provides the requested data to the device.