Skip to main content

OAuth 2.0 Device Authorization Grant
RFC 8628

Approval announcement
Draft of message to be sent after approval:


From: The IESG <>
To: IETF-Announce <>
Cc: The IESG <>,, Rifaat Shekh-Yusef <>,,,,,
Subject: Protocol Action: 'OAuth 2.0 Device Authorization Grant' to Proposed Standard (draft-ietf-oauth-device-flow-15.txt)

The IESG has approved the following document:
- 'OAuth 2.0 Device Authorization Grant'
  (draft-ietf-oauth-device-flow-15.txt) as Proposed Standard

This document is the product of the Web Authorization Protocol Working Group.

The IESG contact persons are Benjamin Kaduk and Eric Rescorla.

A URL of this Internet Draft is:

Ballot Text

Technical Summary

  This OAuth 2.0 authorization flow for browserless and input constrained devices, often referred to as the device flow, enables OAuth clients to request user authorization from devices that have an Internet connection, but don't have an easy input method (such as a smart TV, media console, picture frame, or printer), or lack a suitable browser for a more traditional OAuth flow.  This authorization flow instructs the user to perform the authorization request on a secondary device, such as a smartphone.  There is no requirement for communication between the constrained device and the user's secondary device.

Working Group Summary

  The device flow used to be part of the OAuth 2.0 specification, but it was later moved to its own separate document based on the WG feedback and support:

The WG document received many reviews and feedbacks from multiple WG members on the mailing list and during the WG meetings.

Document Quality

The document has been implemented by Google, Facebook, Microsoft, ForgeRock, Salesforce, Curity Identity Server, and MITREid Connect.

Also, it seems that ETSI has a specification based on this document:

There is also a different use for this mechanism as stated here:


The document shepherd is Rifaat Shekh-Yusef. 
The responsible Area Director is Eric Rescorla.

RFC Editor Note