Device flow
The device flow is designed for limited input, limited display devices, e.g., media devices:
- Hybrid radios
- Connected TVs
Broadcaster requirements
- Single sign-on across multiple services using a common authorization service.
- Client mode, so that devices work "out of the box" without user registration.
- User mode, to associate a device with a user account.
Based on existing standards
- OAuth 2.0 (RFC 6749)
- OAuth 2.0 Bearer Token Usage (RFC 6750)
- OAuth 2.0 Device Profile (draft)
- OAuth 2.0 Dynamic Client Registration (draft)
- HTTP over TLS (RFC 2818)
Components
The diagram below shows the main parties involved.
- Client: Represents the use of a service provider by an application on a device.
- Service Provider: An online service which requires authorization to access its protected resources.
- Authorization Provider: Manages client identities, the association of client identities with authenticated user identities, and the issuing of access tokens to clients.
Also shown, but not itself a participant in the CPA protocol:
- Identity Provider: Authenticates the end user and provides user identities to the Authorization Provider.
Single sign-on
CPA optionally supports single sign-on between multiple services that share a common Authorization Provider.
Depending on business rules reflecting the relationship between service providers, the Authorization Provider can:
- Require the user to sign in and enter a pairing code.
- Require the user to sign in and give confirmation, without entering a pairing code.
- Automatically grant an access token, without requiring any user action.
Users, clients, and devices