The biggest new feature in IdentityServer4 v2.3 is support for the beta Device Flow specification.

Device Flow is a flavour of OAuth 2.0 optimised for browserless and/or input-constrained devices. Things like TVs, gaming consoles, printers, cash registers, audio appliances etc. come to mind here.

The flow works like this:

1. The client does a so called “device authorization request”. This returns both a device code and a user code.
2. The client typically shows a URL to the user that includes the user code, e.g. https://login.company.com/pair/usercode. The client might also show a QR code for that URL, to make that process even simpler.
3. The user is now supposed to go to this URL on a separate device, e.g. a laptop computer or a phone/tablet. There the user will authenticate and consent. While this is happening, the client polls the token endpoint with the device code to find out when this part is done.
4. Once the interactive part is done, the token endpoint will return the typical OAuth tokens like access and refresh token.
5. Done

Or, if you think a picture says more than 1000 words – here’s the ASCII art from the RFC:

You can try Device Flow with our demo instance of IdentityServer4 – and here is a fully functional client/api sample to go along with it.

HTH