device_ code
Registry Context
The device access token request must include `device_code` when using the device authorization grant.
Technical Summary
`device_code` is the required device verification code from the device authorization response. The client sends it to the token endpoint when requesting an access token with the device authorization grant.
When Used
When sending a device access token request to the token endpoint using the device authorization grant.
Normative Requirements
Clients
RFC 8628 - Section 3.4
authenticate with the authorization server as described in RFC 6749 Section 3.2.1.
Condition: if the client was issued client credentials or assigned other authentication requirements
the client MUST authenticate with the authorization server
RFC 8628 - Section 3.4
include the `device_code` parameter in the device access token request.
Condition: when requesting an access token using the device authorization grant
device_code REQUIRED.
Validation Guidance
Reject a device access token request that omits `device_code`.
Require client authentication when the client was issued client credentials or assigned other authentication requirements.
Security Notes
RFC 8628 - Section 3.4
Statically distributed client credentials have security implications; RFC 8628 Section 5.6 provides additional discussion.
Reference
Details
- Entry Id
device_code - Name
device_code - Parameter Usage Location
token request- Change Controller
IESG- Reference
RFC8628 - Section 3.1