/oauth2/device/code

Device Flow endpoint as defined by the Internet-Draft OAuth 2.0 Device Flow. Client devices use this endpoint to present a user code to the resource owner that can be exchanged for an access token in the following flows:

You must compose the path to the device code endpoint addressing the specific realm where the user code will be issued. For example, https://openam.example.com:8443/openam/oauth2/realms/root/realms/subrealm1/device/code.

The device code endpoint supports the following parameters:

response_type

Specifies the response expected from the authorization server. Set to device_code to obtain a user code.

Required: Yes.

client_id

Specifies the client ID unique to the application making the request.

Required: Yes.

state

Value to maintain state between the request and the callback. During authentication, the client sends this parameter to the authorization server. The authorization server must send it back unchanged in the response.

The application should use this value to ensure the response belongs to the user that initiated the requests, which mitigates CSRF attacks.

The value of state is typically a base64-encoded string that contains user state and that is unique to a user and their request.

Required: No, but it is strongly recommended.

code_challenge

Specifies a string derived from the code verifier that is sent in the authorization request during the Device with PKCE flow.

Required: Yes, when obtaining a user code in the Device with PKCE Flow.

code_challenge_method

Contains the method used to derive the code challenge. Possible values are plain and S256. When unset, it defaults to plain.

Required: Yes, when obtaining a user code in the Device with PKCE Flow.

nonce

String value that associates the client session with the ID Token that also mitigates against replay attacks.

Required: No. OpenID Connect flows only.

acr_values

Authentication Context class Reference values used to communicate acceptable authentication chains or trees.

For more information, see Adding Authentication Requirements to ID Tokens.

Required: No. OpenID Connect flows only.

prompt

A space-separated, case sensitive list of ASCII values that specifies whether AM should prompt the end user for authentication and consent. Possible values are:

  • none. AM does not display authentication or consent pages.

  • login. AM prompts the end user to authenticate.

  • consent. AM prompts the end user to grant consent.

Required: No. OpenID Connect flows only.

ui_locales

Specifies a space-separated list of the end user preferred languages for the user interface, ordered by preference. For example, en fr-CA fr.

Required: No. OpenID Connect flows only.

login_hint

String value indicating the ID to use for login.

When provided as part of the OpenID Connect Authentication Request, the login_hint is set as the value of a cookie named oidcLoginHint, which is an HttpOnly cookie (only sent over HTTPS). Authentication modules can then retrieve the cookie's value.

For more information, see GSMA Mobile Connect.

Required: No. OpenID Connect flows only.

claims

Specifies a JSON object containing specific attributes about users to be returned in the ID Token.

Required: No. OpenID Connect flows only.

claim_token

Specifies an ID token containing the claims gathered during the UMA grant flow. Use together with the claim_token_format parameter.

Required: No. UMA Grant flow only.

claim_token_format

Specifies that the type of the token gathered during the UMA grant flow. AM only supports ID tokens as claim tokens. Possible values are:

  • https://openid.net/specs/openid-connect-core-1_0.html#IDToken

Use together with the claim_token parameter.

Required: No. UMA Grant flow only.

Read a different version of :