What problem does the OAuth device authorization flow solve?
Device flow: designed for input-constrained devices, it lets a TV or CLI obtain tokens by having the user authorize on a separate device (phone or laptop) using a short code.
2 / 5
What is the user code in the device flow?
User code: the device displays a short code (e.g., WDJB-MJHT) and a verification URL. The user opens that URL on a phone, enters the code, and authenticates, linking the approval to the device.
3 / 5
What does the device do while waiting for the user to authorize?
Polling: after showing the code, the device repeatedly calls the token endpoint with the device code. It receives authorization_pending until the user approves, then gets tokens. It must respect the polling interval.
4 / 5
Why must the user code have a limited lifetime?
Code expiry: short-lived user codes limit the risk of brute-force guessing or social-engineering reuse. If unused before expiry, the device must restart the flow and request a fresh code.
5 / 5
What does the device receive once the user approves?
Token issuance: upon approval, the next poll returns the access token and usually a refresh token. The device stores these securely and can refresh access without repeating the user-facing step.