oauth2.dev

authorization_pending

IETF

Registry Context

A device authorization grant error indicating that the end user has not yet completed the authorization steps.

Technical Summary

A token endpoint error for the OAuth 2.0 Device Authorization Grant indicating that the authorization request remains pending.

When Used

Returned in a device authorization grant token response while the end user has not yet completed the user-interaction steps.

Normative Requirements

Clients

MUST
3
  1. RFC 8628 - Section 3.5

    wait at least the interval specified in the device authorization response, or 5 seconds if none was provided, and respect increases required by slow_down.

    Condition: before each new polling request

    Before each new request, the client MUST wait at least the number of seconds specified by the "interval" parameter [...] or 5 seconds if none was provided.

  2. RFC 8628 - Section 3.5

    stop polling.

    Condition: if it receives an error response with any code other than authorization_pending or slow_down

    If the client receives an error response with any other error code, it MUST stop polling.

  3. RFC 8628 - Section 3.5

    reduce its polling frequency before retrying.

    Condition: when it encounters a connection timeout

    On encountering a connection timeout, clients MUST unilaterally reduce their polling frequency before retrying.

SHOULD
2
  1. RFC 8628 - Section 3.5

    repeat the access token request to the token endpoint.

    Condition: when it receives an authorization_pending error

    The client SHOULD repeat the access token request to the token endpoint (a process known as polling).

  2. RFC 8628 - Section 3.5

    react appropriately to the error, for example by displaying an error to the user.

    Condition: if it receives an error response with any code other than authorization_pending or slow_down

    [It] SHOULD react accordingly, for example, by displaying an error to the user.

RECOMMENDED
1
  1. RFC 8628 - Section 3.5

    use an exponential backoff algorithm, such as doubling the polling interval after each connection timeout.

    Condition: when reducing polling frequency following connection timeouts

    The use of an exponential backoff algorithm to achieve this [...] is RECOMMENDED.

Validation Guidance

error

When authorization_pending is received, the client repeats the token request only after waiting the required polling interval.

error

The client stops polling after receiving an error other than authorization_pending or slow_down.

error

After a connection timeout, the client reduces its polling frequency before retrying, preferably using exponential backoff.

info

authorization_pending is used as a token endpoint error for the device authorization grant while end-user interaction remains incomplete.

Reference

Details

Entry Id
authorization_pending
Name
authorization_pending
Usage Location
Token endpoint response
Protocol Extension
RFC8628
Change Controller
IETF
Reference
RFC8628 - Section 3.5