[OAUTH-WG] Suggested enhancement of the OAuth Device Flow

[Jaap Francke <jaap.francke@iwelcome.com>]

Hi all,

Recently we were working with one of our customers to implement the device flow as part of our IDaaS.
One of the requirements was the ability to revoke tokens for one of the devices at the Resource Server.

In our use case, we used the terminolgy ‘pairing a device to the enduser’s account’ to describe the process of authorising a device to access the resource owner’s resources.
The resource owner may want to ‘unpair’ a device from a list of paired devices without having access to the device itself (anymore). Think about a stolen/lost kind of situation.
We are looking for ways to allow the user to unpair one of his devices at the Authorisation Server.
Since the Device Flow exchanges only the ‘generic’ client_id with the Authorisation Server, there is no logical way at the Resource Server to make a distinction between various devices (having the same client_id) that may be paired to the same Resource Owner.

My suggestion is the following
- add an optional parameter to the device authorisation request (or device access token request): 'device_identifier'. A device can use this to make (for example) its serial-number known at the Resource Server.
- add an optional parameter to the device access token response that allows to communicate a name for the device as may have been given to it by the resource owner while allowing the clients access (E). This parameter could be something like ‘device_name’. The device may be able to display this ‘device_name’ on its display.

Please consider this as a suggested enhancement of the Device Flow specifications.

Kind regards,

Jaap Francke
Product Manager, iWelcome