Device Code Flow (OAuth 2.0 Device Authorization Grant).

An OAuth 2.0 grant (RFC 8628) where an input-constrained device (smart TV, CLI, IoT device) shows the user a code and a verification URL to authenticate on a second device — convenient for CLIs but a documented phishing vector. 它属于网络安全的 身份与访问 分类。

An OAuth 2.0 grant (RFC 8628) where an input-constrained device (smart TV, CLI, IoT device) shows the user a code and a verification URL to authenticate on a second device — convenient for CLIs but a documented phishing vector.

The OAuth 2.0 Device Authorization Grant, specified in RFC 8628 and colloquially called the device code flow, lets a client without a usable browser (smart TVs, CLIs, kiosks, IoT devices) obtain user-delegated tokens by asking the user to authenticate on a separate device. The client requests a `device_code` and a short `user_code` from the IdP and displays the user_code plus a verification URL (e.g. `https://microsoft.com/devicelogin`); the user opens that URL on their phone or laptop, signs in, types the user_code, and consents. The IdP issues tokens to the original device. The flow is the basis for `gh auth login`, `az login --use-device-code`, Apple TV sign-in, Roku and Google TV pairing, and many CLI tools. It is also a documented phishing vector: an attacker can initiate a device code flow against a target tenant and send the user_code in a phishing message, tricking the victim into authenticating on a legitimate IdP page that issues tokens to the attacker (see Storm-2372). Defensive controls include Conditional Access policies that restrict the device code flow to specific apps or user groups, throttling, and user education.

针对 Device Code Flow (OAuth 2.0 Device Authorization Grant) 的防御通常结合技术控制与运营实践,详见上方完整定义。

常见的别称包括: RFC 8628, OAuth 2.0 Device Authorization Grant。