Authentication In Smart TV App - Device Code Flow

Background

Have you come across this scenario where you wanted to use an app on your smart TV, and you are presented with a screen like this?

Authentication in Smart TV App

Recently I tried to authenticate an app on my smart TV and curiosity led me to explore and understand the flow of authentication, exchange of access tokens between the application and authorization server. In the video below I have explained the details of how the user is authenticated and tokens are exchanged to confirm the identity of user.

Device Authorization flow has become common in applications running on devices like Smart TVs, game consoles, and printers needs authentication. These devices or operating systems don't provide a web browser or have limited input capabilities.

We have also seen the same authentication flow being used in applications running on an iOT device or Command line Tools.

This video below explains the authentication flow of Device Authorization followed by detailed demo using Postman.

OAuth 2.0 Device Code Authorization Flow

Here I will explain the authentication and Authorization in the apps with the Microsoft identity platform

The application obtains access tokens through a two-step process flow:

Step 1

When a user tries to login, he/she is presented with a randomly generated code with the verify URL.

Authentication in Smart TV App

Request Response
POST https://login.microsoftonline.com/organizations/oauth2/v2.0/devicecode Content-Type: application/x-www-form-urlencoded
client_id= 6731de76-14a6-49ae-97bc-6eba6914391e
scope= user.read%20openid%20profile%20email
"user_code": "AW39RKQJR", "device_code": "AAQABAAEAAAD--",
"verification_uri":"https://microsoft.com/devicelogin",
"expires_in": 900,
"interval": 5,
"message": "To sign in, use a web browser to open the pagehttps://microsoft.com/devicelogin and enter the code AW39RKQJR to authenticate."

Step 2

On the secondary device (such as a laptop or mobile phone) user need to complete sign-in interactively using the code provided by the device. Meanwhile, the initial device polls the authorization server for a completed and successful user authentication. When it's available, tokens are issued through a back channel and application uses them to perform the web API calls /actions.

 

Authentication in Smart TV App

Request Response
POST
https:https://login.microsoftonline.com/organizations/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type= urn:ietf:params:oauth:grant-type:device_code
client_id= 6731de76-14a6-49ae-97bc-6eba6914391e
device_code= GMMhmHCXhWEzkobqIHGG_EnNYY...
{ "token_type": "Bearer",
"scope": "User.Read profile openid email",
“expires_in": 3599,
"access_token": "eyJ0eXAiOiJKV1Q…”
"refresh_token": "AwABAAAAvPM1K...",
"id_token": "eyJ0eXAiOiJKVCJhbGciOiJub25lIn...“ }

Starting with MSAL.NET 4.5 release, the device code flow is possible with Microsoft Personal Accounts.

Summary

The Device Authorization Grant, or Device Flow, is very useful for handling authentication and authorization when it is difficult for the user to perform authentication using the device itself.

The Device Flow takes the authentication out-of-band, allowing authentication to occur on a more convenient device or app for the end-user.

The client application will then poll the authorization server for a successful authentication and proceed when a poll response provides an access and refresh token. 


Similar Articles