Page tree
Skip to end of metadata
Go to start of metadata

Facilitator: Steffo Weber

What's the purpose of OAuth device flow?

For devices with restricted input/output capabilities.

How can we get these devices to act on our behalf? How to authorise?
Device talks to OAuth AS, gets a "device code", presents this to the user through some display, and user then uses this to authorise ("pair") the device to their identity.

Can also be used with devices that have no display at all, so long as the code can be displayed through some other means, eg another web service. Sonos does something similar (albeit not keeping to this standard).
Demo using small Lua ( programmed device. Once paired, OpenIG calls Twilio to ping phone.

Is it secure? Proof of Possession can help ensure a client presenting an access token was the original client to which the token was issued. Uses PKI.

Q: But PoP doesn't solve man-in-the-middle attacks.
A: Correct. TLS.

Q: Can the device code UI on AM be customized?
A: Yes.

Q: What are some real world use cases for OAuth device flow?
A: Smart scales, TV, vacuum cleaners, ...

Q: Can AM's code generator be modified?
A: Only length so far, but could be an enhancement request.


OAuth 2.0 device flow 
- User tries to login to a page - gets redirected to Google (for example) and authenticated there. The user then given an auth token and with that token gets access to the original page.
Demo scenario:
Alarm system that notifies the person (by a phone call) who locked the door and activated the alarm.
- the alarm system sends a user code request to OpenAM
- OpenAm returns the user code and the alarm system displays it
- the person who activated the alarm system goes to OpenAM and types the code in
- OpenAM understands the code and authenticates the person
- The alarm system keeps sending authentication information request. Once the user has logged in the alarm system gets the auth token from OpenAM.
- If the alarm goes off it sends a request with the access token to IG
- IG (using Twillio) calls the user that the alarm went off
proof of possession token - contains the proof that the sender is the legitimate owner
  • No labels