features.deviceFlow
RFC8628 - OAuth 2.0 Device Authorization Grant (Device Flow)
Specifies whether the OAuth 2.0 Device Authorization Grant shall be enabled. When enabled, the authorization server shall support the device authorization flow, enabling OAuth clients on input-constrained devices to obtain user authorization by directing the user to perform the authorization flow on a secondary device with richer input and display capabilities.
default value:
{ charset: 'base-20', deviceInfo: [Function: deviceInfo], // see expanded details below enabled: false, mask: '****-****', successSource: [AsyncFunction: successSource], // see expanded details below userCodeConfirmSource: [AsyncFunction: userCodeConfirmSource], // see expanded details below userCodeInputSource: [AsyncFunction: userCodeInputSource] // see expanded details below}(Click to expand) features.deviceFlow options details
charset
Section titled “charset”Specifies the character set used for generating user codes in the device authorization flow. This configuration determines the alphabet from which user codes are constructed. Supported values include:
base-20- Uses characters BCDFGHJKLMNPQRSTVWXZ (excludes easily confused characters)digits- Uses characters 0123456789 (numeric only)
default value:
'base-20'deviceInfo
Section titled “deviceInfo”Specifies a helper function that shall be invoked to extract device-specific information from device authorization endpoint requests. The extracted information becomes available during the end-user confirmation screen to assist users in verifying that the authorization request originated from a device in their possession. This enhances security by enabling users to confirm device identity before granting authorization.
default value:
function deviceInfo(ctx) { return { ip: ctx.ip, ua: ctx.get('user-agent'), };}Specifies the template pattern used for generating user codes in the device authorization flow. The authorization server shall replace * characters with random characters from the configured charset, while - (dash) and (space) characters may be included for enhanced readability. Refer to RFC 8628 for guidance on minimal recommended entropy requirements for user code generation.
default value:
'****-****'successSource
Section titled “successSource”Specifies the HTML source that shall be rendered when the device flow feature displays a success page to the User-Agent. This template is presented upon successful completion of the device authorization flow to inform the end-user that authorization has been granted to the requesting device.
default value:
async function successSource(ctx) { // @param ctx - koa request context ctx.body = `<!DOCTYPE html> <html> <head> <title>Sign-in Success</title> <style>/* css and html classes omitted for brevity, see lib/helpers/defaults.js */</style> </head> <body> <div> <h1>Sign-in Success</h1> <p>Your sign-in ${ctx.oidc.client.clientName ? `with ${ctx.oidc.client.clientName}` : ''} was successful, you can now close this page.</p> </div> </body> </html>`;}userCodeConfirmSource
Section titled “userCodeConfirmSource”Specifies the HTML source that shall be rendered when the device flow feature displays a confirmation prompt to the User-Agent. This template is presented after successful user code validation to confirm the authorization request before proceeding with the device authorization flow.
default value:
async function userCodeConfirmSource(ctx, form, client, deviceInfo, userCode) { // @param ctx - koa request context // @param form - form source (id="op.deviceConfirmForm") to be embedded in the page and // submitted by the End-User. // @param deviceInfo - device information from the device_authorization_endpoint call // @param userCode - formatted user code by the configured mask ctx.body = `<!DOCTYPE html> <html> <head> <title>Device Login Confirmation</title> <style>/* css and html classes omitted for brevity, see lib/helpers/defaults.js */</style> </head> <body> <div> <h1>Confirm Device</h1> <p> <strong>${ctx.oidc.client.clientName || ctx.oidc.client.clientId}</strong> <br/><br/> The following code should be displayed on your device<br/><br/> <code>${userCode}</code> <br/><br/> <small>If you did not initiate this action, the code does not match or are unaware of such device in your possession please close this window or click abort.</small> </p> ${form} <button autofocus type="submit" form="op.deviceConfirmForm">Continue</button> <div> <button type="submit" form="op.deviceConfirmForm" value="yes" name="abort">[ Abort ]</button> </div> </div> </body> </html>`;}userCodeInputSource
Section titled “userCodeInputSource”Specifies the HTML source that shall be rendered when the device flow feature displays a user code input prompt to the User-Agent. This template is presented during the device authorization flow when the authorization server requires the end-user to enter a device-generated user code for verification.
default value:
async function userCodeInputSource(ctx, form, out, err) { // @param ctx - koa request context // @param form - form source (id="op.deviceInputForm") to be embedded in the page and submitted // by the End-User. // @param out - if an error is returned the out object contains details that are fit to be // rendered, i.e. does not include internal error messages // @param err - error object with an optional userCode property passed when the form is being // re-rendered due to code missing/invalid/expired let msg; if (err && (err.userCode || err.name === 'NoCodeError')) { msg = '<p>The code you entered is incorrect. Try again</p>'; } else if (err && err.name === 'AbortedError') { msg = '<p>The Sign-in request was interrupted</p>'; } else if (err) { msg = '<p>There was an error processing your request</p>'; } else { msg = '<p>Enter the code displayed on your device</p>'; } ctx.body = `<!DOCTYPE html> <html> <head> <title>Sign-in</title> <style>/* css and html classes omitted for brevity, see lib/helpers/defaults.js */</style> </head> <body> <div> <h1>Sign-in</h1> ${msg} ${form} <button type="submit" form="op.deviceInputForm">Continue</button> </div> </body> </html>`;}