oauth2.dev

device_code

IESG

Registry Context

The device access token request must include `device_code` when using the device authorization grant.

Technical Summary

`device_code` is the required device verification code from the device authorization response. The client sends it to the token endpoint when requesting an access token with the device authorization grant.

When Used

When sending a device access token request to the token endpoint using the device authorization grant.

Normative Requirements

Clients

MUST
1
  1. RFC 8628 - Section 3.4

    authenticate with the authorization server as described in RFC 6749 Section 3.2.1.

    Condition: if the client was issued client credentials or assigned other authentication requirements

    the client MUST authenticate with the authorization server

REQUIRED
1
  1. RFC 8628 - Section 3.4

    include the `device_code` parameter in the device access token request.

    Condition: when requesting an access token using the device authorization grant

    device_code REQUIRED.

Validation Guidance

error

Reject a device access token request that omits `device_code`.

error

Require client authentication when the client was issued client credentials or assigned other authentication requirements.

Security Notes

RFC 8628 - Section 3.4

Statically distributed client credentials have security implications; RFC 8628 Section 5.6 provides additional discussion.

Reference

Details

Entry Id
device_code
Name
device_code
Parameter Usage Location
token request
Change Controller
IESG
Reference
RFC8628 - Section 3.1