/device_authorization

Start the device authorization flow.

Endpoint

• Method: POST
• URL: https://sso.user.m7.org/device_authorization
• Content type: application/x-www-form-urlencoded
• Response: JSON

When to use it

Use this when your app needs the user to approve access on a separate browser or device.

Typical flow:

1. Call /device_authorization
2. Show the user the returned user_code or verification_uri_complete
3. The user approves on /device_login
4. Your app redeems device_code at /token

Client authentication

Authenticate the client according to its configured token endpoint auth method.

Public clients:

• send client_id
• do not send a secret

Confidential clients:

• use client_secret_basic or client_secret_post

Request fields

• client_id required
• scope optional
• aud optional This may be sent once or repeated
• nonce optional
• fingerprint optional
• access_expires optional
• refresh_expires optional
• claims optional
• access_claims optional
• refresh_claims optional

Example

curl -sS https://sso.user.m7.org/device_authorization \
  -d client_id='CLIENT_ID' \
  -d scope='openid profile offline_access'

Success response

{
  "device_code": "DEVICE_CODE",
  "user_code": "ABCD-EFGH",
  "verification_uri": "https://sso.user.m7.org/device_login",
  "verification_uri_complete": "https://sso.user.m7.org/device_login?user_code=ABCD-EFGH",
  "expires_in": 600,
  "interval": 5
}

Common errors

• invalid_request
• invalid_scope
• unauthorized_client
• server_error

Notes

• The current approval window is 10 minutes.
• The returned polling interval is currently 5 seconds.
• Admin applications are not allowed to use the device flow in the current implementation.