Device Code Flow (OAuth 2.0 Device Authorization Grant).

An OAuth 2.0 grant (RFC 8628) where an input-constrained device (smart TV, CLI, IoT device) shows the user a code and a verification URL to authenticate on a second device — convenient for CLIs but a documented phishing vector. Es gehört zur Kategorie Identität und Zugriff der Cybersicherheit.

An OAuth 2.0 grant (RFC 8628) where an input-constrained device (smart TV, CLI, IoT device) shows the user a code and a verification URL to authenticate on a second device — convenient for CLIs but a documented phishing vector.

The OAuth 2.0 Device Authorization Grant, specified in RFC 8628 and colloquially called the device code flow, lets a client without a usable browser (smart TVs, CLIs, kiosks, IoT devices) obtain user-delegated tokens by asking the user to authenticate on a separate device. The client requests a `device_code` and a short `user_code` from the IdP and displays the user_code plus a verification URL (e.g. `https://microsoft.com/devicelogin`); the user opens that URL on their phone or laptop, signs in, types the user_code, and consents. The IdP issues tokens to the original device. The flow is the basis for `gh auth login`, `az login --use-device-code`, Apple TV sign-in, Roku and Google TV pairing, and many CLI tools. It is also a documented phishing vector: an attacker can initiate a device code flow against a target tenant and send the user_code in a phishing message, tricking the victim into authenticating on a legitimate IdP page that issues tokens to the attacker (see Storm-2372). Defensive controls include Conditional Access policies that restrict the device code flow to specific apps or user groups, throttling, and user education.

Schutzmaßnahmen gegen Device Code Flow (OAuth 2.0 Device Authorization Grant) kombinieren typischerweise technische Kontrollen und operative Praktiken, wie in der Definition oben beschrieben.

Übliche alternative Bezeichnungen: RFC 8628, OAuth 2.0 Device Authorization Grant.