Try Device Flow with IdentityServer4

The biggest new feature in IdentityServer4 v2.3 is support for the beta Device Flow specification.

Device Flow is a flavour of OAuth 2.0 optimised for browserless and/or input-constrained devices. Things like TVs, gaming consoles, printers, cash registers, audio appliances etc. come to mind here.

The flow works like this:

  1. The client does a so called “device authorization request”. This returns both a device code and a user code.
  2. The client typically shows a URL to the user that includes the user code, e.g. The client might also show a QR code for that URL, to make that process even simpler.
  3. The user is now supposed to go to this URL on a separate device, e.g. a laptop computer or a phone/tablet. There the user will authenticate and consent. While this is happening, the client polls the token endpoint with the device code to find out when this part is done.
  4. Once the interactive part is done, the token endpoint will return the typical OAuth tokens like access and refresh token.
  5. Done

Or, if you think a picture says more than 1000 words – here’s the ASCII art from the RFC:

Screenshot 2019-02-08 13.03.06.png

You can try Device Flow with our demo instance of IdentityServer4 – and here is a fully functional client/api sample to go along with it.


This entry was posted in ASP.NET Core, IdentityServer, OAuth. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s