Implement OAuth 2.0 Device Authorization Grant (RFC8628)
Summary
RFC8628 allows a device such as a TV, Game console, etc. to receive an Access Token. It is also used for securely authenticating non-HTTP protocols (FreeIPA)
Design proposition
The protocol works like this:
- TV hits a portal URL (/oauth2/authorize_device) => issuer unauth route
- LLNG returns a user code, device code, URL ( https://auth.example.com/device )
- TV displays the URL and user code
- TV starts polling LLNG on the unauth route, waiting for the user to complete the process, using the device code
- Users browses to URL https://auth.example.com/device on their phone/laptop and enters user code. SSO session is established or reused. => issuer auth route
- TV eventually obtains the access token
This flow looks rather easy to implement in the OIDC issuer. We just need to be careful to prevent bruteforce attacks, and develop a small UI for the user to input the user code. We need to store a temporary OIDC session during the flow indexed by user code and device code.