Qeet Docs
OIDC / OAuth provider

Device Authorization Grant

RFC 8628 for input-constrained devices — CLI, TV, IoT. The device shows a user code; the user approves it on a second screen.

The Device Authorization Grant (RFC 8628) lets input-constrained clients — CLIs, TVs, IoT — authenticate without a browser on the device itself. The device displays a short user code; the user enters it on a phone or laptop to approve.

Implemented

Device grant is fully implemented, including the hosted-login /device page (user-code entry → approve/deny) and admin management of pending device authorizations.

The flow

Device requests authorization

The (client-authenticated) device calls the device authorization endpoint and gets a device_code, a human-friendly user_code (e.g. BCDF-GHJK), and verification URIs.

POST/v1/oauth/device_authorizationStart device authorization
curl -X POST https://api.qeetid.com/v1/oauth/device_authorization \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d client_id=$CLIENT_ID -d scope="openid profile"
DeviceAuthorizationResponse
JSON
{
  "device_code": "…",
  "user_code": "BCDF-GHJK",
  "verification_uri": "https://login.qeetid.com/device",
  "verification_uri_complete": "https://login.qeetid.com/device?user_code=BCDF-GHJK",
  "expires_in": 600,
  "interval": 5
}

Device shows the code

"Go to login.qeetid.com/device and enter BCDF-GHJK." The user opens the URL on another device. The hosted /device page fetches the request context (client name

  • scopes) and renders an approve/deny screen.
GET/v1/oauth/deviceDevice verification context
POST/v1/oauth/device/decisionApprove / deny

Device polls for the token

Meanwhile the device polls the token endpoint with the device-code grant type, respecting interval.

POST/v1/oauth/token-codegrant_type=device_code
Bash
curl -X POST https://api.qeetid.com/v1/oauth/token-code \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d grant_type=urn:ietf:params:oauth:grant-type:device_code \
  -d device_code=$DEVICE_CODE \
  -d client_id=$CLIENT_ID

Until approval, the endpoint returns authorization_pending (or slow_down). After approval it returns the token response.

Admin management

Tenant admins can list and inspect pending device authorizations.

GET/v1/tenants/{tenantID}/oauth/devicesList device authorizations
GET/v1/tenants/{tenantID}/oauth/devices/{id}Inspect one

Tokens, userinfo, introspect & revoke

ID tokens (ES256), the userinfo endpoint, refresh-token rotation, RFC 7662 introspection, and RFC 7009 revocation.

Machine-to-machine

OAuth client_credentials for service principals — token-endpoint auth, scopes, and lifecycle.

On this page

The flowDevice requests authorizationDevice shows the codeDevice polls for the tokenAdmin management