Set Top Box Emulator and OAuth2 Device Flow

This is really an extension to a blog I did in October 2015 – Device Authorization using OAuth2 and OpenAM, with an application written in Node.js using the newly released OpenAM 13.0.

The basic flow hasn’t really changed. Ultimately there is a client – the TV emulator – that communicates to OpenAM and the end user, with the end user also performing out-of-band operations via a device which has better UI capabilities – aka a tablet or laptop.

The app boots and initiates a request to OpenAM to get a unique user and device code, prompting the user to hit a specific URL on their tablet.
The user authenticates with the OpenAM resource server as necessary, enters the code and performs a consent dance to approve the request from the TV to be paired and retrieve data from the user’s profile – in this case, overloading the postaladdress attribute in DJ to store favourite channel data.
In the meantime, the TV client is performing a polling operation – checking with the OpenAM authorization service, to see if the end user has entered the correct user_code and approved the request.  Once completed the TV retrieves a typical OAuth2 bearer payload, including the refresh_token and access_token values that can be used to retrieve the necessary attributes.
Future requests from the TV now no longer need to request password or authorization data.  By leveraging a long live refresh_token access can be managed centrally.
For more information on OAuth2 Device Flow see here.

This blog post was first published @ identityrelationshipmanagement.blogspot.co.uk, included here with permission.

1 Comment

Comments are closed.

  1. Hello,

    thanks for this useful information (and the october 2015 post too!).
    on the verge to implementing this flow, I’m wondering about how to design the cliend_id/secret initialization:
    – should I set one client-id/secret shared among all objects ? (easier to manufacture but I cannot revoke rogue objects)
    – should I set dynamically a client_id/secret per object. how/when should I generate/put them into the objects? just before initiating this device flow?
    what about rotating secrets?

    do you have any insight in this? any pointer to similar thoughts?
    thanks.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?