Device Authorization Grant

The device authorization grant endpoints support the following actions for applications configured with the DEVICE_CODE grant type:

The device authorization endpoint /{{envID}}/as/device_authorization starts an action to return an activation code to the end user. The endpoint response returns a device code, a user code, and a verification URI. The supported parameters for the endpoint request are the client_id parameter and an optional scope parameter.
The start flow endpoints /{{envID}}/device/{{appIdentifier}} or /{{envID}}/device in which the appIdentifier variable represents one of either the application ID (clientId or applicationId) or a short secondary application identifier (devicePathId configured per app) that is used only with the /device endpoint.
The token endpoint /{{envID}}/as/token returns the tokens issued for the device.

For information about configuring and application connection that uses a DEVICE_CODE grant type, refer to Create Application (OIDC Device Authorization Grant). For OpenID Connect/OAuth2 data model properties associated with these endpoints, refer to OpenID Connect/OAuth 2. For flow states associated with device auth grant flows, refer to DAG_USER_CODE_REQUIRED and DAG_CONSENT_REQUIRED in Flows. For IETF specification information, refer to RFC8628 OAuth 2.0 Device Authorization Grant.

Workflows

Configure Device Authorization Grant Flow

Device authorization grant data model

Property Type Required? Mutable? Description

Property	Type	Required?	Mutable?	Description
`client_id`	String	Required	Immutable	The application’s UUID.
`grant_type`	String	Required	Mutable	The grant type of the token request. Options are `urn:ietf:params:oauth:grant-type:device_code`.
`scope`	String	Optional	Mutable	Permissions that determine the resources that the application can access. This parameter is not required, but it is needed to specify accessible resources. Refer to Authorization for details when including `offline_access` in the `scope` parameter.
`device_code`	String	Required	Read only	The device verification code. This is a required property for device auth grant flows.
`user_code`	String	Required	Read only	The end-user verification code. This is a required property for device auth grant flows.
`verification_uri`	String	Required	Read only	The end-user verification URI on the authorization server. This is a required property for device auth grant flows.
`verification_uri_complete`	String	Optional	Read only	The end-user verification URI on the authorization server that includes the `user_code`.
`expires_in`	String	Required	Read only	The lifetime, in seconds, of the `device_code`. This value is set on the application configuration.
`interval`	String	Optional	Read only	The minimum amount of time, in seconds, that the client should wait between polling requests to the token endpoint. If no value is provided, the default is 5 seconds. This value is set on the application configuration.

client_id

String

Required

Immutable

The application’s UUID.

grant_type

String

Required

Mutable

The grant type of the token request. Options are urn:ietf:params:oauth:grant-type:device_code.

scope

String

Optional

Mutable

Permissions that determine the resources that the application can access. This parameter is not required, but it is needed to specify accessible resources. Refer to Authorization for details when including offline_access in the scope parameter.

device_code

String

Required

Read only

The device verification code. This is a required property for device auth grant flows.

user_code

String

Required

Read only

The end-user verification code. This is a required property for device auth grant flows.

verification_uri

String

Required

Read only

The end-user verification URI on the authorization server. This is a required property for device auth grant flows.

verification_uri_complete

String

Optional

Read only

The end-user verification URI on the authorization server that includes the user_code.

expires_in

String

Required

Read only

The lifetime, in seconds, of the device_code. This value is set on the application configuration.

interval

String

Optional

Read only

The minimum amount of time, in seconds, that the client should wait between polling requests to the token endpoint. If no value is provided, the default is 5 seconds. This value is set on the application configuration.

PingOne Platform APIs

Device Authorization Grant

Workflows

Device authorization grant data model