Device Code Flow (OAuth 2.0 Device Authorization Grant)
Qu'est-ce que Device Code Flow (OAuth 2.0 Device Authorization Grant) ?
Device Code Flow (OAuth 2.0 Device Authorization Grant)An OAuth 2.0 grant (RFC 8628) where an input-constrained device (smart TV, CLI, IoT device) shows the user a code and a verification URL to authenticate on a second device — convenient for CLIs but a documented phishing vector.
The OAuth 2.0 Device Authorization Grant, specified in RFC 8628 and colloquially called the device code flow, lets a client without a usable browser (smart TVs, CLIs, kiosks, IoT devices) obtain user-delegated tokens by asking the user to authenticate on a separate device. The client requests a `device_code` and a short `user_code` from the IdP and displays the user_code plus a verification URL (e.g. `https://microsoft.com/devicelogin`); the user opens that URL on their phone or laptop, signs in, types the user_code, and consents. The IdP issues tokens to the original device. The flow is the basis for `gh auth login`, `az login --use-device-code`, Apple TV sign-in, Roku and Google TV pairing, and many CLI tools. It is also a documented phishing vector: an attacker can initiate a device code flow against a target tenant and send the user_code in a phishing message, tricking the victim into authenticating on a legitimate IdP page that issues tokens to the attacker (see Storm-2372). Defensive controls include Conditional Access policies that restrict the device code flow to specific apps or user groups, throttling, and user education.
● Exemples
- 01
`gh auth login` prints a short user code and a URL; the user signs in on a laptop, enters the code, and the CLI receives tokens.
- 02
An Entra ID Conditional Access policy disables the device-code flow tenant-wide except for a tightly scoped CLI-user group.
● Questions fréquentes
Qu'est-ce que Device Code Flow (OAuth 2.0 Device Authorization Grant) ?
An OAuth 2.0 grant (RFC 8628) where an input-constrained device (smart TV, CLI, IoT device) shows the user a code and a verification URL to authenticate on a second device — convenient for CLIs but a documented phishing vector. Cette notion relève de la catégorie Identité et accès en cybersécurité.
Que signifie Device Code Flow (OAuth 2.0 Device Authorization Grant) ?
An OAuth 2.0 grant (RFC 8628) where an input-constrained device (smart TV, CLI, IoT device) shows the user a code and a verification URL to authenticate on a second device — convenient for CLIs but a documented phishing vector.
Comment fonctionne Device Code Flow (OAuth 2.0 Device Authorization Grant) ?
The OAuth 2.0 Device Authorization Grant, specified in RFC 8628 and colloquially called the device code flow, lets a client without a usable browser (smart TVs, CLIs, kiosks, IoT devices) obtain user-delegated tokens by asking the user to authenticate on a separate device. The client requests a `device_code` and a short `user_code` from the IdP and displays the user_code plus a verification URL (e.g. `https://microsoft.com/devicelogin`); the user opens that URL on their phone or laptop, signs in, types the user_code, and consents. The IdP issues tokens to the original device. The flow is the basis for `gh auth login`, `az login --use-device-code`, Apple TV sign-in, Roku and Google TV pairing, and many CLI tools. It is also a documented phishing vector: an attacker can initiate a device code flow against a target tenant and send the user_code in a phishing message, tricking the victim into authenticating on a legitimate IdP page that issues tokens to the attacker (see Storm-2372). Defensive controls include Conditional Access policies that restrict the device code flow to specific apps or user groups, throttling, and user education.
Comment se défendre contre Device Code Flow (OAuth 2.0 Device Authorization Grant) ?
Les défenses contre Device Code Flow (OAuth 2.0 Device Authorization Grant) combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.
Quels sont les autres noms de Device Code Flow (OAuth 2.0 Device Authorization Grant) ?
Noms alternatifs courants : RFC 8628, OAuth 2.0 Device Authorization Grant.
● Termes liés
- identity-access№ 839
OAuth 2.0
Cadre ouvert d'autorisation permettant au propriétaire d'une ressource d'accorder à une application tierce un accès limité à une API sans partager d'identifiants.
- attacks№ 341
Device Code Phishing
An identity attack that abuses the OAuth 2.0 device authorization grant: the attacker starts a device-code flow and lures the victim into typing the resulting code on a legitimate login page, granting the attacker tokens for the victim's account.
- identity-access№ 852
OpenID Connect (OIDC)
Couche d'identité construite au-dessus d'OAuth 2.0, permettant aux clients de vérifier l'identité d'un utilisateur et d'obtenir un profil de base via un jeton ID signé.
- identity-access№ 090
Autorisation
Processus qui détermine ce qu'une identité déjà authentifiée a le droit de faire : quelles ressources, quelles actions et dans quelles conditions.
- identity-access№ 1162
Authentification unique (SSO)
Mécanisme d'authentification permettant à un utilisateur de se connecter une seule fois auprès d'un fournisseur d'identité de confiance pour accéder ensuite à plusieurs applications sans ressaisir d'identifiants.
- identity-access№ 928
PKCE (Proof Key for Code Exchange)
An OAuth 2.0 extension (RFC 7636) that binds an authorization-code redemption to a one-time secret created by the client, neutralizing authorization-code interception attacks on public and confidential clients alike.