Cross Platform Authentication

Device flow

The device flow is designed for limited input, limited display devices, e.g., media devices:

  • Hybrid radios
  • Connected TVs

Broadcaster requirements

  • Single sign-on across multiple services using a common authorization service.
  • Client mode, so that devices work "out of the box" without user registration.
  • User mode, to associate a device with a user account.

Based on existing standards

  • OAuth 2.0 (RFC 6749)
  • OAuth 2.0 Bearer Token Usage (RFC 6750)
  • OAuth 2.0 Device Profile (draft)
  • OAuth 2.0 Dynamic Client Registration (draft)
  • HTTP over TLS (RFC 2818)


The diagram below shows the main parties involved.

  • Client: Represents the use of a service provider by an application on a device.
  • Service Provider: An online service which requires authorization to access its protected resources.
  • Authorization Provider: Manages client identities, the association of client identities with authenticated user identities, and the issuing of access tokens to clients.

Also shown, but not itself a participant in the CPA protocol:

  • Identity Provider: Authenticates the end user and provides user identities to the Authorization Provider.

Single sign-on

CPA optionally supports single sign-on between multiple services that share a common Authorization Provider.

Depending on business rules reflecting the relationship between service providers, the Authorization Provider can:

  • Require the user to sign in and enter a pairing code.
  • Require the user to sign in and give confirmation, without entering a pairing code.
  • Automatically grant an access token, without requiring any user action.

Users, clients, and devices


Go to Tutorial Setup.

In [ ]: