1. Oracle Identity Cloud Service REST APIREST API for Oracle Identity Cloud Service
  2. Managing Authorization
  3. Access Grant Types
  4. Device Code Grant Type

Device Code Grant Type

Use this grant type when a client executes on devices that do not have an easy data-entry method (for example, game consoles, streaming media players and digital picture frames), and the client is incapable of receiving incoming requests from the authorization server.

For example, a customer buys a Roku, digital picture frame, or game console. The customer needs an access token in order to fetch movies, pictures, or games from the cloud. Instead of interacting with the user's streaming media player (such as a Roku) or digital picture frame, the client instructs the user to use another computer or device (a desktop computer, smart phone, or tablet) and connect to the authorization server to approve the access request. Since the client cannot receive incoming requests, it polls the authorization server repeatedly until the user completes the approval process.

The following diagram displays the Device Code Grant Type flow.

A diagram that illustrates the Device Code Grant Type flow.

In this OAuth flow:

Note:

This device flow doesn???t use the client secret to obtain the device code and the user code. The client secret is used (if assigned to the client) when obtaining the access token.

  1. A device client makes an unauthenticated request to an Oracle Identity Cloud Service /device endpoint. The device receives a device code, user code, and a verification URI.

    The device client displays the user code (user_code) to the user and provides the URL (verification-uri) where the user needs to go to enter the user code (not shown in diagram).

  2. The device client doesn???t know if the user is authorized. The device client requests the access token repeatedly (to oauth2/v1/token) in the background until the user enters the user code on the Oracle Identity Cloud Service verification page.

  3. The user access the Oracle Identity Cloud Service verification page, logs in, and then enters the user code.

  4. After the user enters the user code and authorizes access, an access token is issued by the OAuth server and the user is given access to the protected data through the device.

Function Available
Browser-based end user interaction Yes
Can use an external Identity Provider for authentication Yes
Refresh token is allowed Yes

See an example Device Code Grant Type authorization flow.