Learn how the OAuth 2.0 Device Flow offers smooth authentication and authorization to limited-input devices.
Tired of wrestling with remote controls and on-screen TV keyboards to enter credentials on your smart TV? You’ve dealt with it too many times, and you can bet your customers have to. What if you could help them get logged in with just a few taps on their cell phone?
Hi, Dan from Auth0 here bringing you the OAuth 2.0 Device Flow: a fast, easy, and safe way to log into apps on your Smart TV and other input-constrained devices. No keyboard? No browser? No problem!
Ordinary login can be tedious and error-heavy. The OAuth 2.0 Device Flow is lightweight, authenticates you in seconds and not only works with TVs, but also with game consoles, CLIs, printers, and much more!
Auth0 offers developers a fully compliant implementation of the OAuth 2.0 Device Flow to tackle this user experience pain point easily. Let’s learn more about what input-constrained devices are, how this authorization grant works, and how Auth0 can help.
What Are Internet-Connected, Input-Constrained Devices?
Do you have an internet-connected device that either (1) has no browser or (2) offers impractical ways for you to input text?
If you answered yes, then you have an input-constrained device! What type of devices came to your mind? I am thinking...
- All-in-One printers
- Fitness trackers
- Streaming devices
- Game consoles
- Teddy bears
- Car infotainment systems
- Smart TVs
- Really, anything with the word “smart” in front of it
The Internet of Things (IoT) frenzy has put a lot of devices online. Today or in the future, the software running on these devices may talk to your service APIs to get the data needed to offer your customers a rich user experience across devices and platforms. However, that user experience may not be so rich or secure if a device doesn’t offer a convenient way to authorize external services.
"Granting authorization on input-constrained devices is challenging. But what are input-constrained devices anyway? Learn more in this blog post!"
As a competitive business, you don’t want to limit the devices that can use your services by not being able to provide browserless authentication. But, if the device does offer a browser or user interface, you wouldn’t want your customers to enter credentials using the arrows of a TV remote control to select keys from a giant on-screen keyboard. Their credentials could be compromised by someone recording their screen as they slowly input them, for example.
Furthermore, you’ll want to ensure that user credentials are not entered on systems that you don’t control and that may store them for future access, like smart displays that sometimes leverage proprietary systems or third-party clients that access your APIs.
What you do want is a way to authorize third-party applications with controlled access to your APIs on a variety of devices. The OAuth 2.0 Device Flow lets you do exactly that! Even on devices without a browser, you can take advantage of the security and user experience benefits of a standard delegated authorization protocol.
By decoupling the log-in experience from input-constrained devices, end-users can benefit from a secure method of authentication while having a frictionless user experience they will tell their friends about.”
To understand how to go with the Device Flow, it’s better for you to see it at play using a video streaming app as an example.
OAuth 2.0 Device Flow In Action
Say that you want to watch AuthU TV, a fictional video platform for techies, on your television. You start by downloading the AuthU TV app to your smart TV. When you open the app for the first time, you’ll be welcomed by a login screen.
To kick things off, you’ll be asked to visit a URL on another device (like a smartphone or laptop), enter a short code, and then log in to your AuthU account to authenticate yourself.
Completing this process gives the software on your TV access to your AuthU account and lets you use your remote control to navigate AuthU content — not enter credentials.
At a high level, this process is very similar to how YouTube redirects to accounts.google.com to process a user login. With the OAuth 2.0 Device Flow, you manage the authentication process on a centralized login page, using a secondary device to make the input of credentials faster and more secure. By moving authentication off the device and into a browser, you are able to take advantage of more advanced identity and security features, such as MFA, SSO, and Social Login.
But talk is cheap: let’s see the Device Flow in action! Our engineers at Auth0 created an interactive demo that lets you simulate the authorization of the AuthU smart TV app right from your browser.
Start by visiting the Device Flow Playground. Once there, you can either try the playground with our default demo settings or configure with your Auth0 account settings to try in your own applications.
Need an Auth0 account? Get started for free today. You’ll be saying “Wow!” while using everything that Auth0’s free trial has to offer!
You can also select the desired scopes you want to have. Once that’s done, click on “Get Started”.
Next, to stream content from the mock AuthU TV app, you are prompted to authorize the app by clicking on the “Authorize” button.
Now you are prompted to authorize the device by navigating to the activation URL, acme-demo.auth0.com/activate, using another device and entering the code displayed on your smart TV. You can also scan the QR code, which would automatically input the user code. The TV app will be waiting for you to complete the process on your secondary device which would trigger an authorization response it can use to get access to the AuthU TV service.
Visit the provided link, enter the one-time code, and click “Continue”. You can do this using another browser tab or your smartphone mobile browser.
Confirm that the code displayed on the site matches the one shown on the smart TV and click “Continue”.
Next, sign up for an account or log in with an existing one.
A message will show up on the site confirming that the device is now connected.
Back on the smart TV, the AuthU app is ready to start streaming content. The TV app has the authorization to fetch additional information about you to customize the UI.
That’s it for a high-level technical overview of the OAuth 2.0 Device Flow. Let’s peek under the hood at how using Auth0 as your identity platform facilitates this process.
OAuth 2.0 Device Flow Made Easy with Auth0
When your input-constrained device needs to fetch user data from your API, the following process takes place:
If the device application is not already authorized, your device application calls your Auth0 Authorization Server to retrieve a device code.
Auth0 responds with a URL and user code. Your device app asks the user to visit a specific URL on a secondary device (like a laptop or smartphone) and provide the activation code.
Your device app begins to poll your Auth0 Authorization Server for an Access Token and a Refresh Token.
The user authenticates with Auth0 on the secondary device using one of your already configured authentication methods. Auth0 is an identity hub that supports many Identity Providers using various protocols (like OpenID Connect, SAML, WS-Federation, and more).
Once authentication is complete, Auth0 responds to your device app with an Access Token and a Refresh Token, which lets you refresh the Access Token without having to request permission from the user again.
The Access Token can be used to call your API and retrieve requested data.
"With access tokens and refresh tokens, you make authentication fast and make it last! Learn more about how tokens work in the OAuth 2.0 Device Flow."
Today, you learned what internet-connected, input-constrained devices are, the challenges that these devices present to developers and customers alike, and how Auth0 along with OAuth 2.0 let you tackle those challenges through the implementation of the Device Flow.
The best part of the OAuth 2.0 Device Flow is that it lets you extend your existing authentication solutions to smart device platforms. This authorization grants simply lets your customers authenticate and authorize applications running on one device through another.
You may be curious about how you or your development team can implement this through code. We'll provide you with a detailed tutorial on Device Flow soon. Stay tuned! In the meantime, check the following resources for more information:
"The OAuth 2.0 Device Flow is designed for applications executed on internet-connected devices that either don’t have a browser or are input-constrained. It enables end-users to authorize device applications to access service APIs."
Auth0, a global leader in Identity-as-a-Service (IDaaS), provides thousands of customers in every market sector with the only identity solution they need for their web, mobile, IoT, and internal applications. Its extensible platform seamlessly authenticates and secures more than 2.5 billion logins per month, making it loved by developers and trusted by global enterprises. The company's U.S. headquarters in Bellevue, WA, and additional offices in Buenos Aires, London, Tokyo, and Sydney, support its global customers that are located in 70+ countries.