IoT and smart device style use cases, often require the need to authorize a device to act on behalf of a user. A common example is things like smart TV’s, home appliances or wearables, that are powerful enough to communicate over HTTPS, and will often access services and APIs on the end user’s behalf.
How can that be done securely, without sharing credentials? Well, OAuth2 can come to the rescue. Whilst not part of the ratified standard, many of the OAuth2 IETF drafts, describe how this could be acheived using what’s known as the “Device Flow” This flow leverages the same components of the other OAuth2 flows, with a few subtle differences.
Firstly, the device is generally not known to have a great UI, that can handle decent human interaction – such as logging in or authorizing a consent request. So, the consenting aspect, needs to be handled on a different device, that does have standard UI capabilities. The concept, is to have the device trigger a request, before passing the authorization process off to the end user on a different device – basically accessing a URL to “authorize and pair” the device.
Once authorized, the device can then call the ../oauth2/device/token? endpoint with the necessary client credentials and device_code, to receive the access and refresh token payload – or OpenID Connect JWT token as well.
The device can then start accessing resources on the users behalf – until the user revokes the bearer token.
NB – this OAuth2 flow is only available in the nightly OpenAM 13.0 build.
DeviceEmulator code that tests the flows is available here.