Add deviceAuthorizationUrl field to OAuthFlow object

- Added DeviceAuthorizationUrl property to OpenApiOAuthFlow model
- Added DeviceAuthorizationUrl constant to OpenApiConstants
- Updated serialization logic:
  - For OpenAPI 3.2: serializes as "deviceAuthorizationUrl"
  - For OpenAPI 3.1 and 3.0: serializes as "x-oai-deviceAuthorizationUrl" (extension)
- Updated deserialization logic for V32, V31, and V3 deserializers
- Updated copy constructor to include DeviceAuthorizationUrl
- Added tests for serialization in all versions (V3.0, V3.1, V3.2)
- Added tests for deserialization in all versions (V3.0, V3.1, V3.2)
- Updated PublicApi.approved.txt with new public API members
- Ran performance benchmarks and included updated results

Co-authored-by: baywet <[email protected]>

Author: Copilot

performance/benchmark/BenchmarkDotNet.Artifacts/results/performance.Descriptions-report-github.md

@@ -1,10 +1,10 @@
 ```
 
-BenchmarkDotNet v0.15.4, Windows 11 (10.0.26200.6584)
-11th Gen Intel Core i7-1185G7 3.00GHz, 1 CPU, 8 logical and 4 physical cores
+BenchmarkDotNet v0.15.4, Linux Ubuntu 24.04.3 LTS (Noble Numbat)
+AMD EPYC 7763 2.45GHz, 1 CPU, 4 logical and 2 physical cores
 .NET SDK 8.0.414
-  [Host]   : .NET 8.0.20 (8.0.20, 8.0.2025.41914), X64 RyuJIT x86-64-v4
-  ShortRun : .NET 8.0.20 (8.0.20, 8.0.2025.41914), X64 RyuJIT x86-64-v4
+  [Host]   : .NET 8.0.20 (8.0.20, 8.0.2025.41914), X64 RyuJIT x86-64-v3
+  ShortRun : .NET 8.0.20 (8.0.20, 8.0.2025.41914), X64 RyuJIT x86-64-v3
 
 Job=ShortRun  IterationCount=3  LaunchCount=1  
 WarmupCount=3  

performance/benchmark/BenchmarkDotNet.Artifacts/results/performance.Descriptions-report.html

@@ -13,18 +13,18 @@
 </head>
 <body>
 <pre><code>
-BenchmarkDotNet v0.15.4, Windows 11 (10.0.26200.6584)
-11th Gen Intel Core i7-1185G7 3.00GHz, 1 CPU, 8 logical and 4 physical cores
+BenchmarkDotNet v0.15.4, Linux Ubuntu 24.04.3 LTS (Noble Numbat)
+AMD EPYC 7763 2.45GHz, 1 CPU, 4 logical and 2 physical cores
 .NET SDK 8.0.414
-  [Host]   : .NET 8.0.20 (8.0.20, 8.0.2025.41914), X64 RyuJIT x86-64-v4
-  ShortRun : .NET 8.0.20 (8.0.20, 8.0.2025.41914), X64 RyuJIT x86-64-v4
+  [Host]   : .NET 8.0.20 (8.0.20, 8.0.2025.41914), X64 RyuJIT x86-64-v3
+  ShortRun : .NET 8.0.20 (8.0.20, 8.0.2025.41914), X64 RyuJIT x86-64-v3
 </code></pre>
 <pre><code>Job=ShortRun  IterationCount=3  LaunchCount=1  
 WarmupCount=3  
 </code></pre>
 
 <table>
-<thead><tr><th>Method</th><th>Mean    </th><th>Error </th><th>StdDev</th><th>Gen0</th><th>Gen1</th><th>Gen2</th><th>Allocated</th>
+<thead><tr><th>Method</th><th>Mean    </th><th>Error  </th><th>StdDev</th><th>Gen0</th><th>Gen1</th><th>Gen2</th><th>Allocated</th>
 </tr>
 </thead><tbody><tr><td>PetStoreYaml</td><td>677.8 &mu;s</td><td>3,027.4 &mu;s</td><td>165.94 &mu;s</td><td>62.5000</td><td>11.7188</td><td>-</td><td>387.38 KB</td>
 </tr><tr><td>PetStoreJson</td><td>224.0 &mu;s</td><td>158.9 &mu;s</td><td>8.71 &mu;s</td><td>40.0391</td><td>8.7891</td><td>-</td><td>249.52 KB</td>

performance/benchmark/BenchmarkDotNet.Artifacts/results/performance.EmptyModels-report-github.md

@@ -1,10 +1,10 @@
 ```
 
-BenchmarkDotNet v0.15.4, Windows 11 (10.0.26200.6584)
-11th Gen Intel Core i7-1185G7 3.00GHz, 1 CPU, 8 logical and 4 physical cores
+BenchmarkDotNet v0.15.4, Linux Ubuntu 24.04.3 LTS (Noble Numbat)
+AMD EPYC 7763 2.45GHz, 1 CPU, 4 logical and 2 physical cores
 .NET SDK 8.0.414
-  [Host]   : .NET 8.0.20 (8.0.20, 8.0.2025.41914), X64 RyuJIT x86-64-v4
-  ShortRun : .NET 8.0.20 (8.0.20, 8.0.2025.41914), X64 RyuJIT x86-64-v4
+  [Host]   : .NET 8.0.20 (8.0.20, 8.0.2025.41914), X64 RyuJIT x86-64-v3
+  ShortRun : .NET 8.0.20 (8.0.20, 8.0.2025.41914), X64 RyuJIT x86-64-v3
 
 Job=ShortRun  IterationCount=3  LaunchCount=1  
 WarmupCount=3  

performance/benchmark/BenchmarkDotNet.Artifacts/results/performance.EmptyModels-report.html

@@ -13,11 +13,11 @@
 </head>
 <body>
 <pre><code>
-BenchmarkDotNet v0.15.4, Windows 11 (10.0.26200.6584)
-11th Gen Intel Core i7-1185G7 3.00GHz, 1 CPU, 8 logical and 4 physical cores
+BenchmarkDotNet v0.15.4, Linux Ubuntu 24.04.3 LTS (Noble Numbat)
+AMD EPYC 7763 2.45GHz, 1 CPU, 4 logical and 2 physical cores
 .NET SDK 8.0.414
-  [Host]   : .NET 8.0.20 (8.0.20, 8.0.2025.41914), X64 RyuJIT x86-64-v4
-  ShortRun : .NET 8.0.20 (8.0.20, 8.0.2025.41914), X64 RyuJIT x86-64-v4
+  [Host]   : .NET 8.0.20 (8.0.20, 8.0.2025.41914), X64 RyuJIT x86-64-v3
+  ShortRun : .NET 8.0.20 (8.0.20, 8.0.2025.41914), X64 RyuJIT x86-64-v3
 </code></pre>
 <pre><code>Job=ShortRun  IterationCount=3  LaunchCount=1  
 WarmupCount=3  

src/Microsoft.OpenApi/Models/OpenApiConstants.cs

@@ -575,6 +575,11 @@ public static class OpenApiConstants
         /// </summary>
         public const string RefreshUrl = "refreshUrl";
 
+        /// <summary>
+        /// Field: DeviceAuthorizationUrl
+        /// </summary>
+        public const string DeviceAuthorizationUrl = "deviceAuthorizationUrl";
+
         /// <summary>
         /// Field: Scopes
         /// </summary>

src/Microsoft.OpenApi/Models/OpenApiOAuthFlow.cs

@@ -28,6 +28,11 @@ public class OpenApiOAuthFlow : IOpenApiSerializable, IOpenApiExtensible
         /// </summary>
         public Uri? RefreshUrl { get; set; }
 
+        /// <summary>
+        /// The URL to be used for device authorization (RFC 8628).
+        /// </summary>
+        public Uri? DeviceAuthorizationUrl { get; set; }
+
         /// <summary>
         /// REQUIRED. A map between the scope name and a short description for it.
         /// </summary>
@@ -51,6 +56,7 @@ public OpenApiOAuthFlow(OpenApiOAuthFlow oAuthFlow)
             AuthorizationUrl = oAuthFlow?.AuthorizationUrl != null ? new Uri(oAuthFlow.AuthorizationUrl.OriginalString, UriKind.RelativeOrAbsolute) : null;
             TokenUrl = oAuthFlow?.TokenUrl != null ? new Uri(oAuthFlow.TokenUrl.OriginalString, UriKind.RelativeOrAbsolute) : null;
             RefreshUrl = oAuthFlow?.RefreshUrl != null ? new Uri(oAuthFlow.RefreshUrl.OriginalString, UriKind.RelativeOrAbsolute) : null;
+            DeviceAuthorizationUrl = oAuthFlow?.DeviceAuthorizationUrl != null ? new Uri(oAuthFlow.DeviceAuthorizationUrl.OriginalString, UriKind.RelativeOrAbsolute) : null;
             Scopes = oAuthFlow?.Scopes != null ? new Dictionary<string, string>(oAuthFlow.Scopes) : null;
             Extensions = oAuthFlow?.Extensions != null ? new Dictionary<string, IOpenApiExtension>(oAuthFlow.Extensions) : null;
         }
@@ -97,6 +103,21 @@ private void SerializeInternal(IOpenApiWriter writer, OpenApiSpecVersion version
             // refreshUrl
             writer.WriteProperty(OpenApiConstants.RefreshUrl, RefreshUrl?.ToString());
 
+            // deviceAuthorizationUrl
+            // For OpenAPI 3.2, serialize as a regular field
+            // For OpenAPI 3.1 and 3.0, serialize as an extension with x-oai- prefix
+            if (DeviceAuthorizationUrl != null)
+            {
+                if (version == OpenApiSpecVersion.OpenApi3_2)
+                {
+                    writer.WriteProperty(OpenApiConstants.DeviceAuthorizationUrl, DeviceAuthorizationUrl.ToString());
+                }
+                else
+                {
+                    writer.WriteProperty("x-oai-deviceAuthorizationUrl", DeviceAuthorizationUrl.ToString());
+                }
+            }
+
             // scopes
             writer.WriteRequiredMap(OpenApiConstants.Scopes, Scopes, (w, s) => w.WriteValue(s));
 

src/Microsoft.OpenApi/Reader/V3/OpenApiOAuthFlowDeserializer.cs

@@ -48,6 +48,17 @@ internal static partial class OpenApiV3Deserializer
                         }
                     }
                 },
+                {
+                    "x-oai-deviceAuthorizationUrl",
+                    (o, n, _) =>
+                    {
+                        var url = n.GetScalarValue();
+                        if (url != null)
+                        {
+                            o.DeviceAuthorizationUrl = new(url, UriKind.RelativeOrAbsolute);
+                        }
+                    }
+                },
                 {"scopes", (o, n, _) => o.Scopes = n.CreateSimpleMap(LoadString).Where(kv => kv.Value is not null).ToDictionary(kv => kv.Key, kv => kv.Value!)}
             };
 

src/Microsoft.OpenApi/Reader/V31/OpenApiOAuthFlowDeserializer.cs

@@ -45,6 +45,17 @@ internal static partial class OpenApiV31Deserializer
                         }
                     }
                 },
+                {
+                    "x-oai-deviceAuthorizationUrl",
+                    (o, n, _) =>
+                    {
+                        var url = n.GetScalarValue();
+                        if (url != null)
+                        {
+                            o.DeviceAuthorizationUrl = new(url, UriKind.RelativeOrAbsolute);
+                        }
+                    }
+                },
                 {"scopes", (o, n, _) => o.Scopes = n.CreateSimpleMap(LoadString).Where(kv => kv.Value is not null).ToDictionary(kv => kv.Key, kv => kv.Value!)}
             };
 

src/Microsoft.OpenApi/Reader/V32/OpenApiOAuthFlowDeserializer.cs

@@ -45,6 +45,17 @@ internal static partial class OpenApiV32Deserializer
                         }
                     }
                 },
+                {
+                    "deviceAuthorizationUrl",
+                    (o, n, _) =>
+                    {
+                        var url = n.GetScalarValue();
+                        if (url != null)
+                        {
+                            o.DeviceAuthorizationUrl = new(url, UriKind.RelativeOrAbsolute);
+                        }
+                    }
+                },
                 {"scopes", (o, n, _) => o.Scopes = n.CreateSimpleMap(LoadString).Where(kv => kv.Value is not null).ToDictionary(kv => kv.Key, kv => kv.Value!)}
             };
 

test/Microsoft.OpenApi.Readers.Tests/V31Tests/OpenApiOAuthFlowTests.cs

@@ -0,0 +1,38 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT license.
+
+using System;
+using System.IO;
+using System.Threading.Tasks;
+using Microsoft.OpenApi.Reader;
+using Xunit;
+
+namespace Microsoft.OpenApi.Readers.Tests.V31Tests
+{
+    [Collection("DefaultSettings")]
+    public class OpenApiOAuthFlowTests
+    {
+        private const string SampleFolderPath = "V31Tests/Samples/OpenApiSecurityScheme/";
+
+        [Fact]
+        public async Task ParseOAuth2SecuritySchemeWithDeviceAuthorizationUrlShouldSucceed()
+        {
+            // Act
+            var securityScheme = await OpenApiModelFactory.LoadAsync<OpenApiSecurityScheme>(
+                Path.Combine(SampleFolderPath, "oauth2SecuritySchemeWithDeviceUrl.yaml"),
+                OpenApiSpecVersion.OpenApi3_1,
+                new(),
+                SettingsFixture.ReaderSettings);
+
+            // Assert
+            Assert.NotNull(securityScheme);
+            Assert.Equal(SecuritySchemeType.OAuth2, securityScheme.Type);
+            Assert.NotNull(securityScheme.Flows?.AuthorizationCode);
+            Assert.Equal(new Uri("https://example.com/api/oauth/dialog"), securityScheme.Flows.AuthorizationCode.AuthorizationUrl);
+            Assert.Equal(new Uri("https://example.com/api/oauth/token"), securityScheme.Flows.AuthorizationCode.TokenUrl);
+            Assert.Equal(new Uri("https://example.com/api/oauth/device"), securityScheme.Flows.AuthorizationCode.DeviceAuthorizationUrl);
+            Assert.NotNull(securityScheme.Flows.AuthorizationCode.Scopes);
+            Assert.Equal(2, securityScheme.Flows.AuthorizationCode.Scopes.Count);
+        }
+    }
+}