Red Hat Single Sign-On (“RH-SSO”) is a core service that is part of a number of products such as the Red Hat Enterprise Application Platform. Red Hat® SSO is a powerful tool that provides several options to securely authenticate users for your application. If you have a native application or a browser-based application that can prompt and gather a user's login credentials, RH-SSO has you covered. But what happens when the application is not browser-based? What if the application is running on a device that has limited user input capabilities? For example, no keyboard or perhaps only a small LCD screen. Fortunately, the OAuth 2.0 specification covers this scenario as part of their Device Authorization Grant, aka, Device Code Flow. (RFC 8628, section 3)
You may not have heard of the term 'device code grant’ but chances are you have used it. Have you authorized an app on a smart TV, game console, or streaming device that required a shortcode and the use of your phone to enter a username and password? Then you were using some variation of the device code grant pattern that is part of the OAuth 2.0 specification. OAuth 2.0 specifies several flow patterns that applications and servers must use to securely exchange credential information and tokens. While most of the authorization flow patterns cover situations where there is a way for the user to easily input their credentials, such as username and password, device code grant specifically addresses situations where user input is inconvenient or maybe even impossible. A familiar example of this is a smart TV where you are required to use a clunky remote control and an on-screen keyboard to enter a long username and password. The device code grant gets around this step by allowing the user to input credentials using a secondary device such as a smartphone or computer web browser.
Red Hat SSO is compliant with the OAuth 2.0 and OpenID Connect specifications. Compliance with these three specifications alone would cover a great deal of the use cases that most organizations have. No good tool would be complete without a way to customize the tool to cover new or different use cases. And RH-SSO does not disappoint in this regard. The level of customization that RH-SSO provides makes it more of an “Identity Framework” than just an identity tool. I will show you a solution we have recently implemented that leverages and extends RH-SSO to implement a completely OAuth 2.0 compliant device code grant that can be used to authorize applications running on any device.
The Device Grant Pattern
Device Authorization Grant is an optional part of the OAuth 2.0 specification (RFC 8628 - Section 3) that defines the interaction between a device, a user, and an authorization server. What makes this pattern different from other patterns in the OAuth 2.0 specification is the use of a secondary device (such as a phone or computer) to provide an easier way for the user to interact with the authorization server (i.e. entering their credentials).