|
| 1 | +Device authorization grant flow |
| 2 | +==================================================== |
| 3 | + |
| 4 | +Scenario |
| 5 | +-------- |
| 6 | +In :doc:`Part 1 <tutorial_01>` you created your own :term:`Authorization Server` and it's running along just fine. |
| 7 | +You have devices that your users have and those users need to authenticate the device against your |
| 8 | +:term:`Authorization Server` in order to make the required api calls. |
| 9 | + |
| 10 | +Device Authorization |
| 11 | +----------------- |
| 12 | +The OAuth 2.0 device authorization grant is designed for Internet |
| 13 | +connected devices that either lack a browser to perform a user-agent |
| 14 | +based authorization or are input constrained to the extent that |
| 15 | +requiring the user to input text in order to authenticate during the |
| 16 | +authorization flow is impractical. It enables OAuth clients on such |
| 17 | +devices (like smart TVs, media consoles, digital picture frames, and |
| 18 | +printers) to obtain user authorization to access protected resources |
| 19 | +by using a user agent on a separate device. |
| 20 | + |
| 21 | + |
| 22 | +Point your browser to http://127.0.0.1:8000/o/applications/register/ create an application. |
| 23 | + |
| 24 | +Fill the form as show in the screenshot below, and before saving take note of ``Client id``. |
| 25 | +Make sure the client type is set to "Public". There are cases where a confidential client makes sense |
| 26 | +but generally, it assumed the device is unable to safely store the client secret. |
| 27 | + |
| 28 | +.. image:: _images/application-register-device-code.png |
| 29 | + :alt: Device Authorization application registration |
| 30 | + |
| 31 | +Ensure the setting OAUTH_DEVICE_VERIFICATION_URI is set to a uri you want to come back |
| 32 | +verification_uri key in the response. This is what the device will use display |
| 33 | +to the user |
| 34 | + |
| 35 | +1: cd into the tests/app/idp directory |
| 36 | + |
| 37 | +.. code-block:: sh |
| 38 | + curl --location 'http://127.0.0.1:8000/o/device-authorization/' \ |
| 39 | + --header 'Content-Type: application/x-www-form-urlencoded' \ |
| 40 | + --data-urlencode 'client_id={your application's client id}' |
| 41 | +
|
| 42 | +The OAuth2 provider will return the following response: |
| 43 | +
|
| 44 | +.. code-block:: json |
| 45 | +{ |
| 46 | + "verification_uri": "http://127.0.0.1:8000/o/device", |
| 47 | + "expires_in": 1800, |
| 48 | + "user_code": "A32RVADM", |
| 49 | + "device_code": "G30j94v0kNfipD4KmGLTWeL4eZnKHm", |
| 50 | + "interval": 5 |
| 51 | +} |
| 52 | +
|
| 53 | +Go to http://127.0.0.1:8000/o/device in browser |
| 54 | +
|
| 55 | +.. image:: _images/device-enter-code-displayed.png |
| 56 | +
|
| 57 | +Enter the code and it will redirect to the device-confirm endpoint |
| 58 | +
|
| 59 | +/device-confirm endpoint [device polling is happening concurrently] |
| 60 | +------------- |
| 61 | +
|
| 62 | +.. image:: _images/device-approve-deny.png |
| 63 | +
|
| 64 | +/Device polling [user approving or denying happens concurrently] |
| 65 | +------------- |
| 66 | +Note: You should already have the /token endpoint implemented in your authorization server before this. |
| 67 | +
|
| 68 | +Send this request (in the real world the device makes this request): |
| 69 | +
|
| 70 | +.. code-block:: sh |
| 71 | + curl --location 'http://localhost:8000/o/token/' \ |
| 72 | + --header 'Content-Type: application/x-www-form-urlencoded' \ |
| 73 | + --data-urlencode 'device_code={the device code from the device-authorization response}' \ |
| 74 | + --data-urlencode 'client_id={your application's client id}' \ |
| 75 | + --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:device_code' |
| 76 | +
|
| 77 | +.. code-block:: json |
| 78 | +{ |
| 79 | + "access_token": "SkJMgyL432P04nHDPyB63DEAM0nVxk", |
| 80 | + "expires_in": 36000, |
| 81 | + "token_type": "Bearer", |
| 82 | + "scope": "openid", |
| 83 | + "refresh_token": "Go6VumurDfFAeCeKrpCKPDtElV77id" |
| 84 | +} |
| 85 | + |
| 86 | + |
0 commit comments