Skip to content

OAuth 2.0 Device Code Authorization Grant

This flow is an OAuth 2.0 extension that enables devices with no browser to obtain access tokens. We recommend it instead of using the password grant as it supports user's 2FA settings, since the user is redirected to a browser for the actual authentication.

Note, this flow is used by auth-get-sso-token which can be used for all public clients. If you have a more complex use case you may need to develop your own code, please keep reading for guidance.

Configuration

  • The device code endpoint and token endpoint are available in the "well-known" endpoint.
  • The grant type is urn:ietf:params:oauth:grant-type:device_code.
  • This flow is available for both public and confidential clients and is enabled by default for new SSO registrations (if you want to enable it for an application already registered before 2023 please contact us).

Example (python)

import requests
import sys
import json

token_endpoint = "https://auth.cern.ch/auth/realms/cern/protocol/openid-connect/token"
device_endpoint = "https://auth.cern.ch/auth/realms/cern/protocol/openid-connect/auth/device"
clientid = "demo"
clientsecret = "DELETED"

device_code = requests.post(
    device_endpoint,
    data={
        "client_id": clientid,
        "client_secret": clientsecret # Not required for public clients
    },
    headers={"Content-Type": "application/x-www-form-urlencoded"},
)
print("Go to ", device_code.json()['verification_uri_complete'])
input("Press Enter once you have authenticated...")

device_completion = requests.post(
    token_endpoint,
    data={
        "grant_type": "urn:ietf:params:oauth:grant-type:device_code",
        "device_code": device_code.json()['device_code'],
        "client_id": clientid,
        "client_secret": clientsecret # Not required for public clients
    },
    headers={"Content-Type": "application/x-www-form-urlencoded"},
)
print("Your token:",device_completion.json()['access_token'] )