OAuth 2.0 Device Authorization Grant
RFC 8628

Approval announcement
Draft of message to be sent after approval:

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: The IESG <iesg@ietf.org>, ekr@rtfm.com, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, rifaat.ietf@gmail.com, draft-ietf-oauth-device-flow@ietf.org, oauth-chairs@ietf.org, oauth@ietf.org, rfc-editor@rfc-editor.org
Subject: Protocol Action: 'OAuth 2.0 Device Authorization Grant' to Proposed Standard (draft-ietf-oauth-device-flow-15.txt)

The IESG has approved the following document:
- 'OAuth 2.0 Device Authorization Grant'
  (draft-ietf-oauth-device-flow-15.txt) as Proposed Standard

This document is the product of the Web Authorization Protocol Working Group.

The IESG contact persons are Benjamin Kaduk and Eric Rescorla.

A URL of this Internet Draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/


Technical Summary

  This OAuth 2.0 authorization flow for browserless and input constrained devices, often referred to as the device flow, enables OAuth clients to request user authorization from devices that have an Internet connection, but don't have an easy input method (such as a smart TV, media console, picture frame, or printer), or lack a suitable browser for a more traditional OAuth flow.  This authorization flow instructs the user to perform the authorization request on a secondary device, such as a smartphone.  There is no requirement for communication between the constrained device and the user's secondary device.


Working Group Summary

  The device flow used to be part of the OAuth 2.0 specification, but it was later moved to its own separate document based on the WG feedback and support:
https://mailarchive.ietf.org/arch/msg/oauth/pQafddqfV3W3U_skHuR7E6ZQ44I
https://mailarchive.ietf.org/arch/msg/oauth/U7FsPASLxhNz4eB2FNypw4n952c

The WG document received many reviews and feedbacks from multiple WG members on the mailing list and during the WG meetings.


Document Quality

The document has been implemented by Google, Facebook, Microsoft, ForgeRock, Salesforce, Curity Identity Server, and MITREid Connect.
https://developers.google.com/youtube/v3/guides/auth/devices
https://developers.facebook.com/docs/facebook-login/for-devices
https://github.com/Azure-Samples/active-directory-dotnet-deviceprofile
https://backstage.forgerock.com/docs/am/5.5/oauth2-guide/#rest-api-oauth2-device-flow
https://releasenotes.docs.salesforce.com/en-us/spring17/release-notes/rn_security_auth_device_flow.htm
https://www.curity.io/product/
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server

Also, it seems that ETSI has a specification based on this document:
https://www.ietf.org/mail-archive/web/oauth/current/msg15969.html
https://mailarchive.ietf.org/arch/msg/oauth/23ARrozt4RUUHA_NRiet7c38oIA
http://www.etsi.org/deliver/etsi_ts/103400_103499/103407/01.01.01_60/ts_103407v010101p.pdf
https://tech.ebu.ch/groups/CPA

There is also a different use for this mechanism as stated here:
https://mailarchive.ietf.org/arch/msg/oauth/VzEo9rqC3kmqCuLFR-JcYQvIM3Q
 

Personnel

  
The document shepherd is Rifaat Shekh-Yusef. 
The responsible Area Director is Eric Rescorla.