This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/website/docs/providers/oauth2/device_code.md
Jens L 8ed2f7fe9e
providers/oauth2: add device flow (#3334)
* start device flow

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* web: fix inconsistent app filtering

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add tenant device code flow

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add throttling to device code view

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* somewhat unrelated changes

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add initial device code entry flow

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add finish stage

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* it works

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add support for verification_uri_complete

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add some tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add more tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add docs

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-10-11 12:42:10 +02:00

2 KiB

Device code flow

(Also known as device flow and RFC 8628)

This type of authentication flow is useful for devices with limited input abilities and/or devices without browsers.

Requirements

This device flow is only possible if the active tenant has a device code flow setup. This device code flow is run after the user logs in, and before the user authenticates.

Device-side

The flow is initiated by sending a POST request to the device authorization endpoint, /application/o/device/ with the following contents:

POST /application/o/device/ HTTP/1.1
Host: authentik.company
Content-Type: application/x-www-form-urlencoded

client_id=application_client_id&
scopes=openid email my-other-scope

The response contains the following fields:

  • device_code: Device code, which is the code kept on the device
  • verification_uri: The URL to be shown to the enduser to input the code
  • verification_uri_complete: The same URL as above except the code will be prefilled
  • user_code: The raw code for the enduser to input
  • expires_in: The total seconds after which this token will expire
  • interval: The interval in seconds for how often the device should check the token status

With this response, the device can start checking the status of the token by sending requests to the token endpoint like this:

POST /application/o/token/ HTTP/1.1
Host: authentik.company
Content-Type: application/x-www-form-urlencoded

grant_type=urn:ietf:params:oauth:grant-type:device_code&
client_id=application_client_id&
device_code=device_code_from_above

If the user has not opened the link above yet, or has not finished the authentication and authorization yet, the response will contain an error element set to authorization_pending. The device should re-send the request in the interval set above.

If the user has finished the authentication and authorization, the response will be similar to any other generic OAuth2 Token request, containing access_token and id_token.