Device Code Flow (OAuth 2.0 Device Authorization Grant).

An OAuth 2.0 grant (RFC 8628) where an input-constrained device (smart TV, CLI, IoT device) shows the user a code and a verification URL to authenticate on a second device — convenient for CLIs but a documented phishing vector. サイバーセキュリティの ID とアクセス カテゴリに属します。

An OAuth 2.0 grant (RFC 8628) where an input-constrained device (smart TV, CLI, IoT device) shows the user a code and a verification URL to authenticate on a second device — convenient for CLIs but a documented phishing vector.

The OAuth 2.0 Device Authorization Grant, specified in RFC 8628 and colloquially called the device code flow, lets a client without a usable browser (smart TVs, CLIs, kiosks, IoT devices) obtain user-delegated tokens by asking the user to authenticate on a separate device. The client requests a `device_code` and a short `user_code` from the IdP and displays the user_code plus a verification URL (e.g. `https://microsoft.com/devicelogin`); the user opens that URL on their phone or laptop, signs in, types the user_code, and consents. The IdP issues tokens to the original device. The flow is the basis for `gh auth login`, `az login --use-device-code`, Apple TV sign-in, Roku and Google TV pairing, and many CLI tools. It is also a documented phishing vector: an attacker can initiate a device code flow against a target tenant and send the user_code in a phishing message, tricking the victim into authenticating on a legitimate IdP page that issues tokens to the attacker (see Storm-2372). Defensive controls include Conditional Access policies that restrict the device code flow to specific apps or user groups, throttling, and user education.

Device Code Flow (OAuth 2.0 Device Authorization Grant) に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。

一般的な別名: RFC 8628, OAuth 2.0 Device Authorization Grant。