Client devices use this endpoint to present a user code to the resource owner that can be exchanged for an access token in the following flows:
You must compose the path to the device code endpoint addressing the specific realm where the user code will be issued.
The device code endpoint supports the following parameters:
Specifies the client ID unique to the application making the request.
Value to maintain state between the request and the callback. During authentication, the client sends this parameter to the authorization server. The authorization server must send it back unchanged in the response.
The application should use this value to ensure the response belongs to the user that initiated the requests, which mitigates CSRF attacks.
The value of
stateis typically a base64-encoded string that contains user state and that is unique to a user and their request.
Required: No, but it is strongly recommended.
The scopes attached to the permissions requested from the resource owner by the client. If not specified, the default scopes specified in the client or the authorization server are requested.
Required: No, providing default scopes are defined in the OAuth 2.0 client configuration.
Specifies a string derived from the code verifier that is sent in the authorization request during the device flow with PKCE.
Required: Yes, when obtaining a user code in the device flow with PKCE.
Contains the method used to derive the code challenge. Possible values are
S256. When unset, it defaults to
Required: Yes, when obtaining a user code in the device with PKCE Flow.
String value that associates the client session with the ID Token that also mitigates against replay attacks.
Authentication Context class Reference values used to communicate acceptable authentication trees.
For more information, see Add authentication requirements to ID tokens.
A space-separated, case-sensitive list of ASCII values that specifies whether AM should prompt the end user for authentication and consent. Possible values are:
none. AM does not display authentication or consent pages.
login. AM prompts the end user to authenticate.
consent. AM prompts the end user to grant consent.
Specifies a space-separated list of the end user preferred languages for the user interface, ordered by preference. For example,
en fr-CA fr.
String value indicating the ID to use for login.
When provided as part of the OpenID Connect Authentication Request, the
login_hintis set as the value of a cookie named
oidcLoginHint, which is an HttpOnly cookie (only sent over HTTPS).
For more information, see GSMA Mobile Connect.
Specifies a JSON object containing specific attributes about users to be returned in the ID Token.