Ping Identity PT-AM-CPE Exam - Topic 1 Question 6 Discussion

The Device Authorization Grant (commonly referred to as the Device Flow, RFC 8628) is a specialized OAuth 2.0 grant flow supported by PingAM 8.0.2. It is designed for internet-connected devices that either lack a browser or have limited input capabilities (e.g., Smart TVs, IoT devices, or CLI tools).

In this flow, the interaction is split between the 'Device' and a 'Secondary Device' (like a smartphone or laptop) that has a full browser. The User Code is a fundamental component of this process:

Device Request: The device requests a code from PingAM.

PingAM Response: AM returns a Device Code (for the device) and a User Code (a short, human-readable string like BCDF-GHJK).

User Action: The device displays the User Code and a verification URL to the user.

Authorization: The user navigates to the URL on their smartphone, logs into PingAM, and enters the User Code.

Token Issuance: Once the user authorizes the request, the device (which has been polling AM using the Device Code) receives the Access and Refresh tokens.

The User Code is unique to the Device Flow (Option D). It is not used in the Client Credentials Grant (which is machine-to-machine), the Authorization Code Grant (which uses a redirect-based code), or the Resource Owner Password Credentials Grant (which uses direct username/password submission). In PingAM 8.0.2, administrators can configure the length, character set, and expiration time of these user codes within the OAuth2 Provider settings.