There are a few differences between this case and the non-device case:

  • You don't need to select Allow Authentication API Redirectless Mode on the Client window for the OAuth device client because the mobile or single-page web application doesn't receive tokens at the end of the flow.
  • For the same reason, in the case of web applications, you don't need to enable Allow Redirectless Mode on the Authentication Application window when configuring the authentication API application.
  • The initial request is made to the user authorization endpoint /as/user_authz.oauth2 rather than /as/authorization.oauth2. As with the non-device flow, you must specify pi.flow for the response_mode. Optionally, the initial request can also provide the user_code. This endpoint doesn't need any other parameters.
  • At the end of the flow, the OAUTH_DEVICE_COMPLETED state is returned to the API client. This response doesn't include an authorization code or tokens.

As with the non-device flow, you must select Bypass Authorization Approval on the Client window for the device client because the PingFederate authentication API does not yet support the OAuth consent approval step.

The models and actions for the OAUTH_DEVICE_USER_CODE_REQUIRED, OAUTH_DEVICE_USER_CODE_CONFIRMATION_REQUIRED, and OAUTH_DEVICE_COMPLETED states are documented in the Authentication API Explorer under the PingFederate Core adapter.