Facilitator: Steffo Weber
What's the purpose of OAuth device flow?
For devices with restricted input/output capabilities.
How can we get these devices to act on our behalf? How to authorise?
Device talks to OAuth AS, gets a "device code", presents this to the user through some display, and user then uses this to authorise ("pair") the device to their identity.
Can also be used with devices that have no display at all, so long as the code can be displayed through some other means, eg another web service. Sonos does something similar (albeit not keeping to this standard).
Demo using small Lua (https://www.lua.org) programmed device. Once paired, OpenIG calls Twilio to ping phone.
Is it secure? Proof of Possession can help ensure a client presenting an access token was the original client to which the token was issued. Uses PKI.
Q: But PoP doesn't solve man-in-the-middle attacks.
A: Correct. TLS.
Q: Can the device code UI on AM be customized?
A: Yes.
Q: What are some real world use cases for OAuth device flow?
A: Smart scales, TV, vacuum cleaners, ...
Q: Can AM's code generator be modified?
A: Only length so far, but could be an enhancement request.
------------------------------------------------------------------------------------------------