Device Flow

device flow

Introduction

The Device Flow is an OAuth 2.0 authorization flow designed for devices that lack a web browser or have limited input capabilities, such as smart TVs, IoT devices, gaming consoles, and CLI applications. Unlike traditional OAuth flows that rely on redirects, the Device Flow enables users to authenticate by entering a code on a separate device with a browser.

Learning Objectives

By the end of this blog, you will:

  • Understand what the Device Flow is and why it’s needed.
  • Learn how to configure Device Flow in Salesforce.
  • Explore the step-by-step process of Device Flow with a sequence diagram.
  • Identify common mistakes and best practices.
  • Recognize the top advantages and disadvantages of using Device Flow.

What is Device Flow?

The Device Flow is a mechanism in OAuth 2.0 that allows devices without an interactive browser to securely obtain access tokens. Instead of direct user authentication on the device, a separate device (such as a mobile phone or computer) is used to authorize the request.

Why Use Device Flow?

  • Suitable for devices without keyboards or browsers.
  • Eliminates the need for direct user authentication on limited-input devices.
  • Provides secure authentication without exposing user credentials.

When to Use Device Flow?

  • IoT Devices (e.g., smart home systems, industrial devices).
  • Smart TVs that require access to cloud services.
  • Gaming Consoles for online authentication.
  • Command Line Interfaces (CLI) for authentication in scripts.

Where is Device Flow Used in Salesforce?

Salesforce supports the Device Flow for connected apps. It allows users to log in on a different device and grant access without requiring a direct browser-based authentication on the requesting device.

How Does Device Flow Work?

Step-by-Step Process:

  1. Device Requests Authorization
    • The device sends a request to Salesforce’s authorization server with the client ID.
    • Salesforce responds with a device code and a user verification URL.
  2. User Authentication on a Separate Device
    • The user opens the provided URL on a browser-enabled device (e.g., mobile or computer).
    • They enter the user code displayed on the device.
  3. Salesforce Prompts for Login
    • If the user is not logged in, Salesforce asks them to sign in.
    • If already authenticated, Salesforce asks for approval to grant access.
  4. Device Polls Salesforce for Token
    • The device continuously polls Salesforce using the device code.
    • Once the user approves access, Salesforce responds with an access token.
  5. Access Token is Used
    • The device uses the access token to call Salesforce APIs.
    • It remains valid until expiration or revocation.

Advantages and disadvantages

advantages

  • Works on Input-Restricted Devices
    • Ideal for IoT devices, smart TVs, and CLI applications where direct user input is challenging.
  • Secure Authentication
    • No need to enter credentials directly on the device, reducing the risk of credential theft.
  • Supports Multi-Factor Authentication (MFA)
    • Users can approve login via Salesforce MFA on a secondary device, adding an extra layer of security.

disadvantages

  • Requires a Secondary Device
    • The user must have a browser-enabled device to complete authentication.
  • Slower Authentication Process
    • The polling mechanism introduces a delay between code entry and token retrieval.
  • Not Suitable for Fast-Paced Logins
    • If users need instant authentication, other OAuth flows like Web Server Flow are preferable.

Common Mistakes and Tips

  • Mistake 1 : Polling too frequently may cause rate-limiting errors.
    • tip : Follow the recommended polling interval and use progressive backoff.
  • mistake 2 : If users delay approval, the device code expires, requiring a restart.
    • tip : Detect expired codes early and prompt users to restart authentication.
  • mistake 3 : Storing tokens in logs or unencrypted storage risks unauthorized access.
    • tip : Use encrypted storage and follow OAuth security best practices.

Summary

  • Device Flow is used for authentication on devices without a web browser.
  • It works by delegating authentication to another device.
  • Salesforce provides a device code and user URL for authorization.
  • The device polls for access tokens until the user approves.
  • Advantages include secure login, MFA support, and compatibility with IoT devices.
  • Disadvantages include the need for a second device, slower authentication, and polling delays.

Quiz or Self-Assessment

  1. What type of devices benefit the most from Device Flow?
    a) Laptops
    b) IoT devices
    c) Web browsers
    d) Mobile apps
  2. How does the device get an access token in Device Flow?
    a) The user enters their credentials on the device
    b) The device sends the user code and waits for approval
    c) The device generates an access token on its own
  3. What happens if the user does not approve the request in time?
    a) The device automatically gets an access token
    b) The request expires, and the process must restart
    c) The user is logged in automatically

(Answers: 1-b, 2-b, 3-b)

Conclusion

The Device Flow is an essential OAuth 2.0 mechanism for authenticating devices with limited input capabilities. By delegating authentication to a separate device, Salesforce ensures a secure and user-friendly login process for IoT, CLI, and smart devices.

Additional Resources

https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_web_server_flow.htm&type=5