The Device Code grant type provides a specific grant flow in which a device client executes on a device that doesn???t have an easy data-entry method (for example, game consoles, streaming media players and digital picture frames), and the device client is incapable of receiving incoming requests from the authorization server.

To obtain an access token to access protected resources through a device client, instead of interacting directly with the device client, the device client instructs the user to use another computer or device and connect to the authorization server to approve the access request. The device client polls the authorization server repeatedly until the user completes the approval process.

When you create an application using the Device Code grant type in the Oracle Identity Cloud Service administration console UI, select Device Code as the grant type.

See Device Code Grant Type for more information on the Device Code grant type and an authorization flow diagram.

Authorization Flow

1. A device client makes an unauthenticated request to the /oauth2/v1/device endpoint.

   The event URL contains query parameters that indicate the type of access being requested:

   Request Example

   curl -i -k
   -H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8'
   --request POST 'https://tenant-base-url/oauth2/v1/device' -d 'response_type=device_code&scope=http://example.com/quotes&client_id=<client-id>' 

2. The response contains a device code, user code, and a verification URI from the OAuth client application.

   Response Example

   {
     "expires_in": 300,
     "device_code": "4d03f7bc-f7a5-4795-819a-5748c4801d35",
     "user_code": "SDFGHJKL",
     "verification_uri": "http://tenant-base-url/ui/v1/device"
   }

3. The device displays the user code (user_code) and provides the URL (validation-uri) where the user needs to go to enter the user code.

4. The device client application doesn???t know if the user is authorized. While the user authorizes (or denies) the client's request, the client repeatedly polls the authorization server at the token endpoint (oauth2/v1/token) to find out if the user completed the user authorization step. The client includes the verification code and its client identifier in the request.

   Request Example: Confidential Client

   curl -i -k
   -H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8'
   -H 'Authorization: Basic <base64 clientid:secret>
   --request POST 'https://tenant-base-url/oauth2/v1/token'
   -d 'grant_type=urn:ietf:params:oauth:grant-type:device_code&device_code=4d03f7bc-f7a5-4795-819a-5748c4801d35'

   Request Example: Public Client

   curl -i -k
   -H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8'
   --request POST 'https://tenant-base-url/oauth2/v1/token' -d 'grant_type=urn:ietf:params:oauth:grant-type:device_code&client_id=3e51760ceb1245b7b77d0b1ff280bb72&device_code=4d03f7bc-f7a5-4795-819a-5748c4801d35'

   Request Example Using a Client Assertion

   curl -i -k
   -H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' 
   --request POST 'https://tenant-base-url/oauth2/v1/token'
   -d 'grant_type=urn:ietf:params:oauth:grant-type:device_code&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<clientAssertion>&device_code=4d03f7bc-f7a5-4795-819a-5748c4801d35'

   Request Example Using a SAML Assertion

   curl -i -k
   -H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8'
   --request POST 'https://tenant-base-url/oauth2/v1/token'
   -d 'grant_type=urn:ietf:params:oauth:grant-type:device_code&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Asaml2-bearer&client_assertion=<samlAssertion>&device_code=4d03f7bc-f7a5-4795-819a-5748c4801d35'

5. After the user enters the user code and authorizes access, the Oracle Identity Cloud Service OAuth Authorization Server authenticates the user and returns an access token that contains all applicable Oracle Identity Cloud Service scopes based on the privileges represented by the application roles granted to the requesting client application.
6. The requesting device client uses the access token in an API call to obtain protected data.