It’s Saturday. You are home in your comfy couch. It’s time to unwind after a hectic week. “Yes, I deserve it”, you say to yourself as you pull out the PlayStation to play everyone’s favorite game, “Last of Us: part 2”. Life is good. And nothing can ever ruin this.
You are living out the story and the gameplay to the fullest. You know it’s low-resolution escapism from life and probably a complete waste of time; time you could’ve better spent repairing the abysmal wreck you call your social life. But you feel good and happy. And that’s all that matters. So you blissfully ignore that. And nothing can ever ruin this.
A few hours pass. You think of sharing a few screencaps from the game to your Facebook or Twitter. You take a few screenshots of cool pre-rendered cut scenes in the game. Then you go to the PlayStation gallery and pick out the best screenshots. You are finally ready to share these with your 12 followers. And nothing can ever ruin this.
You click on share. This is your first time doing this so you have to connect your Twitter account to your PS4 console.
Okay, not ideal. But you go ahead. You spend a couple of minutes typing out your username from the given on-screen keyboard. Now you have to enter the password. Then it hits you. You remember your Twitter password is an auto-generated one. One that you set up with LastPass when LastPass was all the rage.
So you open up your laptop and log in to your LastPass account. You see your Twitter password and your heart sinks. It’s a 16-character random string that looks something like this.
49@*915k0w5$oYmHNow you have to type this out by hand… using an on-screen keyboard.
You’re still not losing hope. You try to stay positive. “This is not the worst thing that has ever happened to me” you say to yourself as you give it a go. You spend another couple of minutes typing out the password, swapping out character sets from the on-screen keyboard. Finally, you click on login. And just like you knew you would, you have mistyped your password. You give up. You don’t feel like playing anymore. Life has no meaning. And now, everything is ruined.
Much like your Saturday afternoons, signing into apps and services can be very frustrating. Especially when using an input-constrained device like a smart TV, a PlayStation, or any other IoT device. Then, you would usually have to resort to an on-screen keyboard, or else, connect an input device to provide your credentials to authenticate.
This is where the OAuth2 Device Flow comes into the picture. With the OAuth2 Device Flow, you won’t have to go through the trouble of using an on screen keyboard (among many other things) to log in 😺
How? Let’s dive in.
First to show you an example, this is how the popular streaming station “Locast” has implemented OAuth2 Device Flow.
Locast used to be a service that lets you access broadcast television stations on the internet. When you open up locast from your smart TV, it lets you log in with a few different options. When you go to “Login with Code”, you get the screen shown above. The idea is to let the user authenticate with their smartphone or computer rather than going through something like an on-screen keyboard.
To complete the login and activate Locast on your smart TV, you would first visit the URL shown on the screen (Or scan the QR code from your phone so you can do without having to type in the URL). If you don’t already have an authenticated session, you will have to log in to the site from your phone. But then again, you will be able to use your favorite password manager or the saved passwords on the browser. And on the page you visit, you will be prompted to enter a code.
The code that is there on your TV screen. You enter the code and you’re in. Now you are connected to your Locast account on your TV. I mean, how easy can it get? You get a much better user experience and the application gets the OAuth 2.o goodness along with all the security features (2FA, adaptive authentication, etcetera) enabled by the identity provider. This is all without the application even having access to a web browser.
Now let’s take look at what’s happening under the hood. This diagram shows the basic steps in the device code flow. Let’s go through them one by one.
In the first step, the device client (Smart TV) will initiate the device flow with a device authorization request. In the Locast example, this happens when the user chooses the option, “Sign in with Code”. The client sends this request to the /device_authorization endpoint with the client ID.
Then the Authorization server responds with a device code, a user code, and a verification URI back to the device client. That’s the second step.
Now with this info at hand, the device client, the smart TV in our case, would display this verification URI and the user code to the user. The manner in which this info is presented is up to the device client to decide. They can simply display the verification URI or else, they can use a scannable QR code as Locast does.
At the same time where the device client displays this info to the user, it also starts to poll the /token endpoint of the Authorization Server asking for an access token. In this polling request, the device client would send the client ID and the device code. After receiving the token request, the Authorization Server will then validate if there’s an active user session for this client and return its status.
That’s our third step in the diagram.
While this client polling is happening, the user will continue the flow by accessing the URI and providing the user code. Here, the Authorization Server would authenticate the user if they don’t have a valid session. This would involve all the authentication steps that are enforced for this client in the Authorization Server. That’s our fourth and fifth steps.
And once the user is authenticated, the /token endpoint will send the correct response to the polling request that would include an access token (Optionally a refresh token and a ID token). That concludes our flow and now, the user would have connected their Locast account to his Smart TV.
Here’s the sequence diagram for the flow we just discussed.
To cap it off, device flow can elevate the user experience significantly for input-constrained devices. With device flow, you won’t have to remember your Twitter password to connect to your Twitter account through your console. You would be able to use your favorite password manager LastPass from your web browser and connect your account in a matter of seconds.
From the application’s pov, it now has the ability to use OAuth 2.0 in the authentication process despite the device client not having access to a web browser. And it can benefit from all the security features provided through the Authorization Server during user authentication.
And the device code flow further elevates the level of security from a user perspective as well since now you are not providing your account credentials to a Smart(?) TV or any untrusted device 🙃
Right, that’s it for today. Additionally, if you want to learn more about Device Flow, you can check out these articles:
https://www.oauth.com/oauth2-servers/device-flow/
https://alexbilbie.com/2016/04/oauth-2-device-flow-grant/
https://pragmaticwebsecurity.com/articles/oauthoidc/device-flow.html
Thanks for reading thus far. Have an amazing weekend! You deserve it ;)
