The biggest new feature in IdentityServer4 v2.3 is support for the beta Device Flow specification.
Device Flow is a flavour of OAuth 2.0 optimised for browserless and/or input-constrained devices. Things like TVs, gaming consoles, printers, cash registers, audio appliances etc. come to mind here.
The flow works like this:
- The client does a so called “device authorization request”. This returns both a device code and a user code.
- The client typically shows a URL to the user that includes the user code, e.g. https://login.company.com/pair/usercode. The client might also show a QR code for that URL, to make that process even simpler.
- The user is now supposed to go to this URL on a separate device, e.g. a laptop computer or a phone/tablet. There the user will authenticate and consent. While this is happening, the client polls the token endpoint with the device code to find out when this part is done.
- Once the interactive part is done, the token endpoint will return the typical OAuth tokens like access and refresh token.
Or, if you think a picture says more than 1000 words – here’s the ASCII art from the RFC: