Skip to content

Try Device Authorization Grant

The Device Authorization Grant is one of the grant types in the OAuth 2.0 specification. For more information about this grant type, see Device Authorization Grant. This section guides you on how to try out the Device Authorization grant type.

Device Authorization Grant Configurations

Following are the device authorization grant properties that are configurable.

Name Description Configuration

Key length

The length of the user code.


Expiry time

The expiry time of the user code in milliseconds.


Polling interval

The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint in milliseconds.


Key set

The set of characters that is used to generate the user code.


Configuring Device Authorization Grant properties during deployment

All the above parameters can be configured at the server level through the deployment.toml file. A sample configuration is shown below.

key_length = 7
expiry_time = 60000
polling_interval = 5000
key_set = "BCDFGHJKLMNPQRSTVWXYZbcdfghjklmnpqrstvwxyz23456789"
  1. Navigate to /bin and start the server by executing the following command on a terminal window.

    wso2server.bat run
  2. Access the [WSO2 Identity Server Management Console] (https://localhost:9443/carbon) and log in using your user name and password.

  3. On the Main menu, click Service Providers > Add.



  4. Expand Inbound Authentication Configuration > OAuth/OpenID Connect Configuration. Click Configure.


  5. Select urn:ietf:params:oauth:grant-type:device_code to enable using the device flow grant type.


    Since these are public clients, ensure that the Allow authentication without the client secret option is checked.

  6. Next, click Update to save the service provider configurations. Note the generated OAuth client key and client secret.



    When configuring with your device, configure the client ID as your OAuth client-key.

  7. Open a terminal window and run the following command to send a request to the device_authorize endpoint.

    The client (the device) is initiating this request to obtain a device code, a user code, and a verification URI from the authorization server.


  8. Access the obtained verification_uri from your non input-constrained device. You can either enter the user code there or access the verification_uri_complete obtained from the response.


  9. Click Sign In. If the user code is correct, you will be prompted to enter your credentials. If you have entered the wrong user code or an expired(user code is one time use code) one, it will ask to re-enter your user code. In that case, get a new user code following the previous steps and enter the new user code along with your credentials.



  10. Upon successful authentication, you will be redirected to the configured callback URL of the service provider.

  11. To obtain an access token and a refresh token, the client must call the /token endpoint of the authorization server. The client will poll the authorization server with the polling interval mentioned in the response in step 7.

    Open a terminal window and run the following command to send a token request to the authorization server.


  12. To validate your token, use the introspection endpoint. Invoke the OAuth Introspection Endpoint