The Device Authorization Grant (commonly referred to as the Device Flow, RFC 8628) is a specialized OAuth 2.0 grant flow supported by PingAM 8.0.2. It is designed for internet-connected devices that either lack a browser or have limited input capabilities (e.g., Smart TVs, IoT devices, or CLI tools).
In this flow, the interaction is split between the "Device" and a "Secondary Device" (like a smartphone or laptop) that has a full browser. TheUser Codeis a fundamental component of this process:
Device Request: The device requests a code from PingAM.
PingAM Response: AM returns aDevice Code(for the device) and aUser Code(a short, human-readable string like BCDF-GHJK).
User Action: The device displays the User Code and a verification URL to the user.
Authorization: The user navigates to the URL on their smartphone, logs into PingAM, and enters theUser Code.
Token Issuance: Once the user authorizes the request, the device (which has been polling AM using the Device Code) receives the Access and Refresh tokens.
TheUser Codeis unique to the Device Flow (Option D). It is not used in theClient Credentials Grant(which is machine-to-machine), theAuthorization Code Grant(which uses a redirect-based code), or theResource Owner Password Credentials Grant(which uses direct username/password submission). In PingAM 8.0.2, administrators can configure the length, character set, and expiration time of these user codes within the OAuth2 Provider settings.
