The Device Grant
What Is The Device Grant And Why Would You Use It?
Heya,
One relatively unique aspect of customer identity and access management is the prevalance of devices without great keyboard inputs. This includes:
TVs
gaming consoles
connected devices (less common)
The device grant is not a good choice if the system you are targeting has a normal QWERTY keyboard.
If you've ever tried to login to Netflix or a similar service and groaned because you had a secure password that required a lot of scrolling around with the cursor, you'll understand the pain.
One way for a developer to enable a usable, secure login experience is to use the device grant. With the device grant, which is RFC 8628, instead of logging in to a device like a TV with limited keyboard input, the device presents a code such as WDJB-MJHT and a URL.
The TV or other device must be able to present a URL and code, so there needs to be some kind of user interface. For totally headless devices, the device grant isn’t a great answer. I’m not sure there is a great standards based solution for logging into a device with no UX.
The URL is often shown as a QR code, or is extremely simple: https://example.com/device/login or similar. The URL points to an application which accepts user credentials. In the OAuth world, that application is called an authorization server.
The user visits the URL with a phone or laptop browser, logs in if needed, and enters the code displayed on the screen. While this requires users to have an additional device with a rich keyboard near, how many folks are far from their phone? And for those of us who like password managers, it's far easier to access one from the laptop than from the TV.
After the code has been entered, the TV, which has been polling the authorization server, then gets a token tied to the authentication event and knows the user has logged in.
The device grant is a great example of the power of standards to solve a problem many people had in an elegant way.
Dan