OAuth 2.0 Device Authorization Flow

April 04, 2023

Note On Terminology

Device Authorization Flow is designed for authorizing Client Apps that run on a different device than one the user will use to authenticate with - typically this is used for authorizing streaming apps on Smart TVs to access a user’s existing account, and grant them access to use it to stream data through the streaming app on the TV (the Client App).

A typical situation involves:

It’s also often the case that they are already authenticated with the service’s mobile app equivalent, or a different mobile app that is using the same Identity Provider as the service, in which case they just need to tap Yes a confirmation popup (for example, authorization requests are often sent through the YouTube App for related Google services). It is the Device Authorization Flow process that enables this functionality.


A simplified version of the Device Authorization Flow process works as follows:

1) User Initiates Authorization Flow

The streaming app is prompted by the user to authorize, and so the streaming app sends a request to the Authorization Server to initiate the authorization process.

The Authorization Server:

1) Generates a random device_code to identify streaming app device being authorized.

2) Generates a random user_code identifying the authorization process being started.

3) Stores these together on the server temporarily, as they will be needed for later verification when the user completes authorization.

4) Sends the streaming app the URL the user must navigate to on their mobile device, including the user_code, and the device_code, in a JSON response:

    "device_code": "DEVICE_CODE",
    "authorization_url": "https://authorization.streaming-service.com/user-auth-page?USER_CODE",

2) Device Begins Background Polling

The device begins making polling requests to the Authorization Server in the background, asking if the device_code has been authorized yet.

3) User Authorizes on Mobile Device

The authorization URL can be rendered on the TV as a QR code, that the user can open on their mobile device. The authorization URL will be specific to the streaming service, it will open the streaming service’s login page in the browser or the streaming service mobile app itself.

When the user authenticates, or if they are already authenticated, they will simply be asked if they wish to authorize the device streaming app to use their account.

When the user confirms, the Authorization Server looks up the device_code for the user in its memory, verifies it matches the device_code in the polling requests, and returns an Access Token to the streaming app.

4) Client App Accesses User’s Resources

The Access Token now allows the streaming app access to the user’s account, and is typically sent in the Authorization header on the necessary requests:

Authorization: Bearer <Access Token>

Web Security series

1) Common Browser Security Concepts 2) Cookies - A guide for developers 3) HTTP Basic Access Authentication 4) Maintaining Authentication State with Session Cookies 5) JWT Essentials 6) OAuth 1.0 7) OAuth 2.0 Overview 8) OAuth 2.0 Authorization Code Flow 9) OAuth 2.0 Implicit Flow 10) OAuth 2.0 Authorization Code Flow with PKCE 11) OAuth 2.0 Device Authorization Flow 12) OpenID Connect - OAuth 2.0 with Authentication