Skip to content

Try Device Authorization Grant

The Device Authorization Grant is a grant type in the OAuth 2.0 specification.


For more information, see Device Authorization Grant.

Follow the topics given below to try out the Device Authorization grant type.

(Optional) Configure WSO2 Identity Server


This change is optional unless you want to change the default values of the properties mentioned below.

Open the deployment.toml file (stored in the <IS_HOME>/repository/conf folder), add the following configuration, and change the values of the properties below:

key_length = 7
expiry_time = "10m"
polling_interval = "5s"
key_set = "BCDFGHJKLMNPQRSTVWXYZbcdfghjklmnpqrstvwxyz23456789"

The parameters in this configuration are explained below.

Name Description Parameter

Key length

The length of the user code.


Expiry time

The expiry time of the user code and the device code.


Polling interval

The minimum delay of the client between each polling request to the token endpoint.


Key set

The set of characters that is used to generate the user code.


Enable the Device Authorization grant

Follow the steps given below to enable the Device Authorization grant for your application (service provider).

  1. Sign in to the Management Console.

  2. Go to Main > Identity > Service Providers and click Add.

  3. Give a name for your service provider and click Register.

  4. On the screen that follows, expand Inbound Authentication Configuration > OAuth/OpenID Connect Configuration and click Configure.

  5. Select urn:ietf:params:oauth:grant-type:device_code to enable the device flow grant type.


    Since these are public clients, ensure that Allow authentication without the client secret is checked.

  6. Click Add to save the service provider configurations.


    Note of the generated OAuth client key and client secret. When configuring your device, use the client ID as your OAuth client-key.

Try it out

Let's try out the device flow.

  1. Open a terminal and run the following command to send a request to the device_authorize endpoint.


    The client (the device) initiates this request to the authorization server. In the response, the client receives a device code, a user code, and a verification URI. The client starts polling the /token endpoint of the authorization server using the device_code at an interval as specified in the response.


  2. From a device with no input constraints, access the verification_uri and enter the user code.


    You can alternatively access the verification_uri_complete link obtained in the response.


  3. Click Continue to proceed.


    • If the user code is correct, you are prompted to enter your credentials.
    • Note that the user code is for one-time use only. If your code is expired or if you have entered a wrong user code, get a new user code by following the previous steps.


  4. Once you log in successfully, you are redirected to the configured callback URL of the service provider.


    The client, who has been polling the /token endpoint, receives the access token and the refresh token.

  5. Open a terminal window and send the following token request to the authorization server.


  6. To validate the token that you received, use the introspection endpoint.