← Lessons

quiz vs the machine

Gold1420

Security

The OAuth Device Authorization Flow

Authorizing input constrained devices like TVs by pairing with a phone.

5 min read · core · beat Gold to climb

The Problem It Solves

Some devices, like smart TVs and CLIs, cannot show a full browser or accept typing easily. The device authorization flow lets such a device get tokens by asking the user to approve it on a second device with a browser.

The Steps

  • The device requests a device code and a short user code from the authorization server.
  • It shows the user a URL and the user code to enter on their phone or laptop.
  • The device polls the token endpoint while the user authenticates and consents.
  • Once approved, the device receives its tokens.

Security Notes

  • User codes are short, so the server must rate limit entry attempts.
  • The device must respect the polling interval to avoid being throttled.
  • Display the approving app clearly so users do not authorize the wrong device.

Key idea

The device flow moves consent to a browser capable second device while the input limited device polls for tokens, so rate limit codes and honor polling intervals.

Check yourself

Answer to earn rating on the learn ladder.

1. Why does the device flow exist?

2. How does the device learn it was approved?