You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/authenticate/device-authorization-flow/overview.mdx
+20-22Lines changed: 20 additions & 22 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,20 +10,18 @@ relatedArticles:
10
10
- 28c6e830-8e82-4bf8-aab7-87ebafeb68e4
11
11
---
12
12
13
-
Device Authorization Flow (RFC 8628) enables OAuth 2.0 authorization for devices with limited input capabilities, such as smart TVs, gaming consoles, or IoT devices. Users authenticate on a secondary device (like a phone or computer) while the primary device receives the access token.
13
+
Kinde's device authorization flow adheres to `RFC 8628`, also known as the OAuth 2.0 Device Authorization Grant. It enables authorization for devices with limited input capabilities, such as smart TVs, gaming consoles, or IoT devices. Users authenticate on a secondary device (like a phone or computer) while the primary device receives the access token.
14
14
15
-
## How it works
15
+
## How the device authentication flow works
16
16
17
-
The Device Authorization Flow follows these steps:
17
+
1.**Device requests authorization**: The device requests a device code and user code from Kinde.
18
+
2.**User authenticates**: The user visits a verification URI on another device and enters the user code.
19
+
3.**Device polls for token**: The device polls the token endpoint until authorization is complete.
20
+
4.**Access granted**: The device receives an access token and can call protected APIs.
18
21
19
-
1.**Device requests authorization**: The device requests a device code and user code from Kinde
20
-
2.**User authenticates**: The user visits a verification URI on another device and enters the user code
21
-
3.**Device polls for token**: The device polls the token endpoint until authorization is complete
22
-
4.**Access granted**: The device receives an access token and can call protected APIs
@@ -103,18 +101,18 @@ The device must poll the token endpoint at regular intervals until the user comp
103
101
|`expired_token`| Device code has expired | Request a new device code |
104
102
|`server_error`| Misconfigured device code | Request a new device code |
105
103
106
-
## Security considerations
104
+
## Security considerations for device authorization
107
105
108
-
-**User code format**: User codes are formatted as `XXXXXXXX` for easy entry
109
-
-**Verification URI**: Users should verify they're on the correct domain
110
-
-**Token expiration**: Access tokens expire after 1 hour by default
106
+
-**User code format**: User codes are formatted as `XXXXXXXX` for easy entry.
107
+
-**Verification URI**: Users should verify they're on the correct domain.
108
+
-**Token expiration**: Access tokens expire after 1 hour by default.
111
109
112
-
## Audience
110
+
## Specifying an audience in a device authorization request
113
111
114
112
If an `audience` is specified in the request, the access token will include the audience in the `aud` claim. Kinde supports requesting multiple audiences.
115
113
116
-
The API must be authorized for the Device Authorization application.
114
+
The API must be authorized for the device authorization application.
117
115
118
-
## Scopes and permissions
116
+
## Scopes and permissions for a device authorization request
119
117
120
118
If an audience is specified in the request, any scopes which are belong to that audience that are granted to the user by their role will also be granted to the device. The list of scopes will be displayed on the consent screen. If the user consents, the scopes will be included in the `scope` claim of the access token.
0 commit comments