Authentication In Smart TV App - Device Code Flow

Background

Have you come across this scenario where you wanted to use an app on your smart TV, and you are presented with a screen like this?

Recently I tried to authenticate an app on my smart TV and curiosity led me to explore and understand the flow of authentication, exchange of access tokens between the application and authorization server. In the video below I have explained the details of how the user is authenticated and tokens are exchanged to confirm the identity of user.

Device Authorization flow has become common in applications running on devices like Smart TVs, game consoles, and printers needs authentication. These devices or operating systems don't provide a web browser or have limited input capabilities.

We have also seen the same authentication flow being used in applications running on an iOT device or Command line Tools.

This video below explains the authentication flow of Device Authorization followed by detailed demo using Postman.

OAuth 2.0 Device Code Authorization Flow

Here I will explain the authentication and Authorization in the apps with the Microsoft identity platform

The application obtains access tokens through a two-step process flow:

Step 1

When a user tries to login, he/she is presented with a randomly generated code with the verify URL.

Request	Response
POST https://login.microsoftonline.com/organizations/oauth2/v2.0/devicecode Content-Type: application/x-www-form-urlencoded client_id= 6731de76-14a6-49ae-97bc-6eba6914391e scope= user.read%20openid%20profile%20email	"user_code": "AW39RKQJR", "device_code": "AAQABAAEAAAD--", "verification_uri":"https://microsoft.com/devicelogin", "expires_in": 900, "interval": 5, "message": "To sign in, use a web browser to open the pagehttps://microsoft.com/devicelogin and enter the code AW39RKQJR to authenticate."

Step 2

On the secondary device (such as a laptop or mobile phone) user need to complete sign-in interactively using the code provided by the device. Meanwhile, the initial device polls the authorization server for a completed and successful user authentication. When it's available, tokens are issued through a back channel and application uses them to perform the web API calls /actions.

 

Request	Response
POST https:https://login.microsoftonline.com/organizations/oauth2/v2.0/token Content-Type: application/x-www-form-urlencoded grant_type= urn:ietf:params:oauth:grant-type:device_code client_id= 6731de76-14a6-49ae-97bc-6eba6914391e device_code= GMMhmHCXhWEzkobqIHGG_EnNYY...	{ "token_type": "Bearer", "scope": "User.Read profile openid email", “expires_in": 3599, "access_token": "eyJ0eXAiOiJKV1Q…” "refresh_token": "AwABAAAAvPM1K...", "id_token": "eyJ0eXAiOiJKVCJhbGciOiJub25lIn...“ }

Starting with MSAL.NET 4.5 release, the device code flow is possible with Microsoft Personal Accounts.

• This means the device code flow will work with:Any work and school accounts (https://login.microsoftonline.com/organizations/), and
• Microsoft personal accounts (/common /consumer tenants)

Summary

The Device Authorization Grant, or Device Flow, is very useful for handling authentication and authorization when it is difficult for the user to perform authentication using the device itself.

The Device Flow takes the authentication out-of-band, allowing authentication to occur on a more convenient device or app for the end-user.

The client application will then poll the authorization server for a successful authentication and proceed when a poll response provides an access and refresh token.