Microsoft identity platform and the OAuth 2.0 device authorization grant flow

The Microsoft identity platform supports the device authorization grant, which allows users to sign in to input-constrained devices such as a smart TV, IoT device, or a printer. To enable this flow, the device has the user visit a webpage in a browser on another device to sign in. Once the user signs in, the device is able to get access tokens and refresh tokens as needed.

This article describes how to program directly against the protocol in your application. When possible, we recommend you use the supported Microsoft Authentication Libraries (MSAL) instead to acquire tokens and call secured web APIs. You can refer to sample apps that use MSAL for examples.

Protocol diagram

The entire device code flow is shown in the following diagram. Each step is explained throughout this article.

Device code flow

Device authorization request

The client must first check with the authentication server for a device and user code used to initiate authentication. The client collects this request from the /devicecode endpoint. In the request, the client should also include the permissions it needs to acquire from the user.

From the moment the request is sent, the user has 15 minutes to sign in. This is the default value for expires_in. The request should only be made when the user indicates they're ready to sign in.

// Line breaks are for legibility only.

POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/devicecode
Content-Type: application/x-www-form-urlencoded

client_id=00001111-aaaa-2222-bbbb-3333cccc4444
&scope=user.read%20openid%20profile

Parameter Condition Description
tenant Required Can be /common, /consumers, or /organizations. It can also be the directory tenant that you want to request permission from in GUID or friendly name format.
client_id Required The Application (client) ID that the Microsoft Entra admin center – App registrations experience assigned to your app.
scope Required A space-separated list of scopes that you want the user to consent to.

Device authorization response

A successful response is a JSON object containing the required information to allow the user to sign in.

Parameter Format Description
device_code String A long string used to verify the session between the client and the authorization server. The client uses this parameter to request the access token from the authorization server.
user_code String A short string shown to the user used to identify the session on a secondary device.
verification_uri URI The URI the user should go to with the user_code in order to sign in.
expires_in int The number of seconds before the device_code and user_code expire.
interval int The number of seconds the client should wait between polling requests.
message String A human-readable string with instructions for the user. This can be localized by including a query parameter in the request of the form ?mkt=xx-XX, filling in the appropriate language culture code.

Note

The verification_uri_complete response field is not included or supported at this time. We mention this because if you read the standard you see that verification_uri_complete is listed as an optional part of the device code flow standard.

Authenticating the user

After the client receives user_code and verification_uri, the values are displayed and the user is directed to sign in via their mobile or PC browser.

If the user authenticates with a personal account, using /common or /consumers, they're asked to sign in again in order to transfer authentication state to the device. This is because the device is unable to access the user's cookies. They're asked to consent to the permissions requested by the client. However, this doesn't apply to work or school accounts used to authenticate.

While the user is authenticating at the verification_uri, the client should be polling the /token endpoint for the requested token using the device_code.

POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

grant_type=urn:ietf:params:oauth:grant-type:device_code&client_id=00001111-aaaa-2222-bbbb-3333cccc4444&device_code=GMMhmHCXhWEzkobqIHGG_EnNYYsAkukHspeYUk9E8...
Parameter Required Description
tenant Required The same tenant or tenant alias used in the initial request.
grant_type Required Must be urn:ietf:params:oauth:grant-type:device_code
client_id Required Must match the client_id used in the initial request.
device_code Required The device_code returned in the device authorization request.

Expected errors

The device code flow is a polling protocol so errors served to the client must be expected prior to completion of user authentication.

Error Description Client Action
authorization_pending The user hasn't finished authenticating, but hasn't canceled the flow. Repeat the request after at least interval seconds.
authorization_declined The end user denied the authorization request. Stop polling and revert to an unauthenticated state.
bad_verification_code The device_code sent to the /token endpoint wasn't recognized. Verify that the client is sending the correct device_code in the request.
expired_token Value of expires_in has been exceeded and authentication is no longer possible with device_code. Stop polling and revert to an unauthenticated state.

Successful authentication response

A successful token response looks like:

{
    "token_type": "Bearer",
    "scope": "User.Read profile openid email",
    "expires_in": 3599,
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
    "refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4...",
    "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiIyZDRkMTFhMi1mODE0LTQ2YTctOD..."
}
Parameter Format Description
token_type String Always Bearer.
scope Space separated strings If an access token was returned, this lists the scopes in which the access token is valid for.
expires_in int Number of seconds the included access token is valid for.
access_token Opaque string Issued for the scopes that were requested.
id_token JWT Issued if the original scope parameter included the openid scope.
refresh_token Opaque string Issued if the original scope parameter included offline_access.

You can use the refresh token to acquire new access tokens and refresh tokens using the same flow documented in the OAuth Code flow documentation.

Warning

Don't attempt to validate or read tokens for any API you don't own, including the tokens in this example, in your code. Tokens for Microsoft services can use a special format that will not validate as a JWT, and may also be encrypted for consumer (Microsoft account) users. While reading tokens is a useful debugging and learning tool, do not take dependencies on this in your code or assume specifics about tokens that aren't for an API you control.