Authorize my device

Nowadays IoT devices are getting popular. Many of them do not have browser or have very simple display. So, one of the questions in designing application is how to authorize browserless IoT Device? The answer is Device flow.

Device flow is a new OAuth way to authorize device. Also, it is not finished but works fine.

First of all, I will try to describe the problem. For example, you want to run an online player on TV and you need to authorize application and you have to type your credentials using keyboard.

You just scan barcode using your mobile and the app will be authorized.

Yes, authorization on devices comes very simple. Let’s see the steps.

1. Device makes authorization request to authorization server and server returns a device code, a user code, and a verification URL.
2. Device shows user code and verification URL. Also it can be converted into QR code.
3. User scans QR code using phone or just types verification URL in browser of the phone, laptop or another device. Also user should be logged in on mobile phone where you try to enter the code.
4. Auth server returns token to the device.

I created test application to show how it works. As Authorization I used Identity Server 4 and create device emulator on WPF.

First You need to configure Identity Provider:

new Client
 {
 ClientId = “device”,
 EnableLocalLogin = true,
 ClientName = “Device Client”,
 AllowedGrantTypes = GrantTypes.DeviceFlow,
 RequireClientSecret = false,
 AlwaysIncludeUserClaimsInIdToken = true,
 AllowOfflineAccess = true,
 AllowedScopes =
 {
 IdentityServerConstants.StandardScopes.OpenId,
 IdentityServerConstants.StandardScopes.Profile,
 “api1”
 }
 }

After device emulator starts, Auth server sends user code, device code, Auth URL and full verification URL:

You can go to verification URL and set user code:

After successful authorization device can get data from test API:

You can find full example of code at https://github.com/AntonNalyvaiko/DeviceFlow