Introduction
...
| Endpoint | HTTP Method | Purpose |
|---|---|---|
| /api/auth/v1/device | POST | Creates unique user code and a verification URI to present it on a external browser to verify the user. |
| /api/auth/v1/device/verify | POST | Verifies the user code with the authenticated user. |
| /api/auth/v1/access_token grant_type="urn:ietf:params:oauth:grant-type:device_code" | POST | Provides access_token to the device once the user is verified externally. |
...
When the user wants to log in, the device starts out by making a POST request to begin the process. The POST request contains only one piece of information, its client_id. This request is made to a /api/auth/v1/device endpoint that is unique to the Device Flow.
| Code Block |
|---|
curl -X POST "https://testing.booxmedia.xyz/api/auth/v1/device" -H "accept: application/vnd.api+json" -H "Content-Type: application/json" -d "{\"client_id={CLIENT_ID}\":\"xyz123\"}" |
The server will respond with a JSON document with a few pieces of information.
...
device_code- This is a long string that the device will use to eventually exchange for an access token.verification_uri- This is the URL the user needs to enter into their phone to start logging in.user_code- This is the text the user will enter at the URL above.expires_in- The number of seconds that this set of values is valid. After this amount of time, thedevice_codeanduser_codewill expire and the device will have to start over.interval- The number of seconds the device should wait between polling to see if the user has finished logging in.
Now the device needs to display the URL and User Code to the user.
Verification:
User logs in with regular authentication mechanism to the service from mobile phone/browser, then enters the verification_uri provided by the device endpoint, a POST request is made to /api/auth/v1/device/verify endpoint to verify the user. See: User Authentication#/Device%20Authorization/verifyUserCode
| Code Block |
|---|
curl -X POST "https://testing.booxmedia.xyz/api/auth/v1/device/verify" -H "accept: */*" -H "Content-Type: application/json" -d "{\"user_code\":\"ABCD-1234\",\"user_id\":\"1234\"}" |
...
Now the device needs to display the URL and User Code to the user. While the device waits for the user to enter the code and log in, it will make a POST request every 5 seconds as specified by the interval returned. This POST request will be made to the /api/auth/v1/access_tokenendpoint, using a grant type of urn:ietf:params:oauth:grant-type:device_code
| Code Block |
|---|
curl -X POST "https://testing.booxmedia.xyz/api/auth/v1/authorization-server.com/token grant_type=access_tokens" -H "accept: application/vnd.api+json" -H "Content-Type: application/json" -d "{\"grant_type\":\"urn:ietf:params:oauth:grant-type:device_code &client_id=CLIENT_ID &device_code=NGU4QWFiNjQ5YmQwNG3YTdmZMEyNzQ3YzQ1YSA\",\"credentials\”:{\”client_id\”:\”1234xyz”, \”device_code\”:\”NGU4QWFiNjQ5YmQwNG3YTdmZMEyNzQ3YzQ1YSA ”},\”login_user_profile\":\"84eb61a9-75d4-42c7-8c15-84c3d7776227\”}” |
While the user is busy logging in on their phone, the token endpoint will return the error message below:
...
The Authentication Pending error means the user isn’t finished logging in, but the code hasn’t yet expired either. The device should try this again after the specified number of seconds., if the device polls against interval time provided, Too Many Requests error will be returned
| Code Block |
|---|
{
"errors": [
{
"id": "6de7da3e-8877-4f2b-a670-16e18e5d79a0",
"status": "429",
"code": "0",
"title": "Too Many Requests",
"detail": " - Slow Down"
}
]
} |