OAuth2 for Devices
Title: OAuth 2 for Devices
Session: Wednesday, Session 3, Space E
Conference: IIW-11 November 2-4, Mountain View, Complete Notes Page
Convener: Marius S.
Note Taker:Andrew Wansley
Discussion Notes:
What is a device
A device as we're concerned with it here has a display and a limited or painful input. We're explicitly not talking about headless devices, devices with no display and or no input like a refrigerator. These devices as far as we know just run a webserver locally and do the webserver profile.
What's the flow
From the user's perspective, the device displays a URL and code. User goes to URL and enters the code. The device magically works.
From the device's perspective, the device presents AuthZ server with a clientID and gets back a URL a user code which it displays to the user and a device code used for polling. The device then starts polling the AuthZ server which tells it "not yet" for a while then eventually returns yes and a token or no.
AuthZ server has preregistered a device and replies to the device's requests as described above.
The session fixation attack
Trick the user into approving it from a link. Somewhat of a weakness but not a huge threat.
Other sorts of connections
I've already paired my Playstation with my Sony acct. It would be nice if when I add a netflix app it could just pair with Sony's frontend and then that connection could live across devices. In this case we could just do a webserver flow.
Another way to authorize devices is to do bluetooth sharing of credentials. Like I can authorize my photoframe by connecting my android.