OAuth 2.0 Device Authorization Grant
Draft of message to be sent after approval:
From: The IESG <firstname.lastname@example.org> To: IETF-Announce <email@example.com> Cc: The IESG <firstname.lastname@example.org>, email@example.com, Rifaat Shekh-Yusef <firstname.lastname@example.org>, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com Subject: Protocol Action: 'OAuth 2.0 Device Authorization Grant' to Proposed Standard (draft-ietf-oauth-device-flow-15.txt) The IESG has approved the following document: - 'OAuth 2.0 Device Authorization Grant' (draft-ietf-oauth-device-flow-15.txt) as Proposed Standard This document is the product of the Web Authorization Protocol Working Group. The IESG contact persons are Benjamin Kaduk and Eric Rescorla. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/
Technical Summary This OAuth 2.0 authorization flow for browserless and input constrained devices, often referred to as the device flow, enables OAuth clients to request user authorization from devices that have an Internet connection, but don't have an easy input method (such as a smart TV, media console, picture frame, or printer), or lack a suitable browser for a more traditional OAuth flow. This authorization flow instructs the user to perform the authorization request on a secondary device, such as a smartphone. There is no requirement for communication between the constrained device and the user's secondary device. Working Group Summary The device flow used to be part of the OAuth 2.0 specification, but it was later moved to its own separate document based on the WG feedback and support: https://mailarchive.ietf.org/arch/msg/oauth/pQafddqfV3W3U_skHuR7E6ZQ44I https://mailarchive.ietf.org/arch/msg/oauth/U7FsPASLxhNz4eB2FNypw4n952c The WG document received many reviews and feedbacks from multiple WG members on the mailing list and during the WG meetings. Document Quality The document has been implemented by Google, Facebook, Microsoft, ForgeRock, Salesforce, Curity Identity Server, and MITREid Connect. https://developers.google.com/youtube/v3/guides/auth/devices https://developers.facebook.com/docs/facebook-login/for-devices https://github.com/Azure-Samples/active-directory-dotnet-deviceprofile https://backstage.forgerock.com/docs/am/5.5/oauth2-guide/#rest-api-oauth2-device-flow https://releasenotes.docs.salesforce.com/en-us/spring17/release-notes/rn_security_auth_device_flow.htm https://www.curity.io/product/ https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server Also, it seems that ETSI has a specification based on this document: https://www.ietf.org/mail-archive/web/oauth/current/msg15969.html https://mailarchive.ietf.org/arch/msg/oauth/23ARrozt4RUUHA_NRiet7c38oIA http://www.etsi.org/deliver/etsi_ts/103400_103499/103407/01.01.01_60/ts_103407v010101p.pdf https://tech.ebu.ch/groups/CPA There is also a different use for this mechanism as stated here: https://mailarchive.ietf.org/arch/msg/oauth/VzEo9rqC3kmqCuLFR-JcYQvIM3Q Personnel The document shepherd is Rifaat Shekh-Yusef. The responsible Area Director is Eric Rescorla.