Protocol Action: 'OAuth 2.0 Device Authorization Grant' to Proposed Standard (draft-ietf-oauth-device-flow-15.txt)

The IESG <iesg-secretary@ietf.org> Wed, 27 March 2019 09:08 UTC

Return-Path: <iesg-secretary@ietf.org>
X-Original-To: ietf-announce@ietf.org
Delivered-To: ietf-announce@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 22D0C12027D; Wed, 27 Mar 2019 02:08:34 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: The IESG <iesg-secretary@ietf.org>
To: "IETF-Announce" <ietf-announce@ietf.org>
Subject: Protocol Action: 'OAuth 2.0 Device Authorization Grant' to Proposed Standard (draft-ietf-oauth-device-flow-15.txt)
X-Test-IDTracker: no
X-IETF-IDTracker: 6.94.1
Auto-Submitted: auto-generated
Precedence: bulk
Cc: The IESG <iesg@ietf.org>, ekr@rtfm.com, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, rifaat.ietf@gmail.com, draft-ietf-oauth-device-flow@ietf.org, oauth-chairs@ietf.org, oauth@ietf.org, rfc-editor@rfc-editor.org
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Message-ID: <155367771404.10327.7807731613641862967.idtracker@ietfa.amsl.com>
Date: Wed, 27 Mar 2019 02:08:34 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-announce/bpgfpkjlWoZHr6OZPCGWjlXXuNY>
X-BeenThere: ietf-announce@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "IETF announcement list. No discussions." <ietf-announce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-announce/>
List-Post: <mailto:ietf-announce@ietf.org>
List-Help: <mailto:ietf-announce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2019 09:08:38 -0000

The IESG has approved the following document:
- 'OAuth 2.0 Device Authorization Grant'
  (draft-ietf-oauth-device-flow-15.txt) as Proposed Standard

This document is the product of the Web Authorization Protocol Working Group.

The IESG contact persons are Benjamin Kaduk and Eric Rescorla.

A URL of this Internet Draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/





Technical Summary

  This OAuth 2.0 authorization flow for browserless and input constrained devices, often referred to as the device flow, enables OAuth clients to request user authorization from devices that have an Internet connection, but don't have an easy input method (such as a smart TV, media console, picture frame, or printer), or lack a suitable browser for a more traditional OAuth flow.  This authorization flow instructs the user to perform the authorization request on a secondary device, such as a smartphone.  There is no requirement for communication between the constrained device and the user's secondary device.


Working Group Summary

  The device flow used to be part of the OAuth 2.0 specification, but it was later moved to its own separate document based on the WG feedback and support:
https://mailarchive.ietf.org/arch/msg/oauth/pQafddqfV3W3U_skHuR7E6ZQ44I
https://mailarchive.ietf.org/arch/msg/oauth/U7FsPASLxhNz4eB2FNypw4n952c

The WG document received many reviews and feedbacks from multiple WG members on the mailing list and during the WG meetings.


Document Quality

The document has been implemented by Google, Facebook, Microsoft, ForgeRock, Salesforce, Curity Identity Server, and MITREid Connect.
https://developers.google.com/youtube/v3/guides/auth/devices
https://developers.facebook.com/docs/facebook-login/for-devices
https://github.com/Azure-Samples/active-directory-dotnet-deviceprofile
https://backstage.forgerock.com/docs/am/5.5/oauth2-guide/#rest-api-oauth2-device-flow
https://releasenotes.docs.salesforce.com/en-us/spring17/release-notes/rn_security_auth_device_flow.htm
https://www.curity.io/product/
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server

Also, it seems that ETSI has a specification based on this document:
https://www.ietf.org/mail-archive/web/oauth/current/msg15969.html
https://mailarchive.ietf.org/arch/msg/oauth/23ARrozt4RUUHA_NRiet7c38oIA
http://www.etsi.org/deliver/etsi_ts/103400_103499/103407/01.01.01_60/ts_103407v010101p.pdf
https://tech.ebu.ch/groups/CPA

There is also a different use for this mechanism as stated here:
https://mailarchive.ietf.org/arch/msg/oauth/VzEo9rqC3kmqCuLFR-JcYQvIM3Q
 

Personnel

  
The document shepherd is Rifaat Shekh-Yusef. 
The responsible Area Director is Eric Rescorla.