OAUTH2 Device Profile

Session Topic: OAuth 2.0 Device Profile (T5E)

Convener: Marius Scurtescu

Notes-taker(s): Andrew Wansley

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

What is the device profile?
 * Similar to netflix pairing
 * Device has a display, but no or a painful input
 * Device gets a user code and device code
 * Device says "go to URL and enter "
 * User goes to browser, enters code at URL, sees a consent page, approves
 * Device meanwhile polls AS, gets a code, refresh token

Use a QR code?
 * Possible, but UX issues
 * People may not have active sessions on their phone, so browser might be easier

Implementation issues
 * Google ended up creating separate endpoints
 * Devices poll today @FB/G, could just check once
 * one URL/client_id vs generic URL and globally unique codes
 * 30m user code expiry time
 * Session fixation attack theoretically possible, odd UX mitigates
 * Client apps could use this flow

How is it modeled?
 * grant_type=device_code

Mis-binding
 * Devices could show the user id

Account sharing
 * other ways of solving

Spec
 * Probably refresh Recordon's spec

Code length
 * 6-8, variable
 * could use words