OAuth 2.0 Device Authorization Flow in Salesforce

For input-restricted devices that connect to the Internet, instead of authenticating the user directly, the device prompts the user to go to a link on a computer or smartphone to authorize the device. This avoids a poor user experience on devices that cannot easily enter text. To do this, the device app uses the device authentication flow (authorized with OAuth 2.0), passes the client ID, initiates the authentication process, and receives a token. 

How It Work?

The device authentication flow includes two different paths. One occurs on the device requesting authorization, the other on the browser. The browser flow path, where device code is bound to a session within the browser, occurs in parallel with part of the device flow path. 

Don't forget to check out: Introducing Screen Flow in Salesforce

Device Flow

1. A user launches an app on the device. 
2. The device app uses the client ID (/oauth/device/code endpoint) to request authorization from the Auth0 authorization server. 
3. The Auth0 authorization server responds with the device code, user code, verification URI, verification URI_fully expired_in (device code and user code expiration time in seconds), and polling interval. 
4. The device app asks the user to activate using their computer or smartphone. The app may accomplish this by: 
   • Once these values are displayed on the screen, ask the user to visit the verification URI and enter the user code. 
   • Ask the user to interact with the QR code or shortened URL embedded with the user code generated from verification_uri_complete. 
   • Using verification_uri_complete to navigate directly to a verification page with embedded user code when running natively on a browser-based device 
5. The device app will start querying the Auth0 authorization server for an access token (/oauth/token endpoint) using the duration specified in the interval from the time it received the response from the last query request. The device app continues polling until the user completes the browser flow path or the user's code expires. 
6. After the user successfully completes the browser flow path, the Auth0 authorization server responds with an access token (and optionally a refresh token). The device app should forget the device passcode when it expires. 
7. Device apps can use the access token to call APIs and access information about the user. 
8. The API will respond with the requested data. 

Check out another amazing blog by Nikhil here: What is Apex in Salesforce? | The Developer Guide

Browser Flow 

1. The user accesses the verification URI on their computer, enters the user code, and verifies that the activated device displays the user code. Device validation is only required if the user accesses validation_uri_complete through another mechanism (such as scanning a QR code).
2. The Auth0 authorization server redirects users to log in and consent prompts as needed.
3. The user authenticates using one of the configured sign-in options and may be presented with a consent page asking to authorize the device app.
4. The device app is authorized to access API.