Device Flow

Overview

When a device can't easily handle browser redirects or has no keyboard, the Device Flow lets users authenticate by entering a short code on a separate device (like their phone or computer).

How It Works

1. Device requests authorization from the provider
2. Provider returns a user code and verification URL
3. Device displays the code and URL to the user
4. User visits the URL on another device and enters the code
5. User authenticates and authorizes
6. Device polls the token endpoint until authorization completes
7. Provider returns access tokens to the device

Implementation

The Device Flow involves three main steps: initiating the request, prompting the user, and polling for the token.

use authkestra_flow::DeviceFlow;

let flow = DeviceFlow::new(client_id, device_auth_url, token_url);

// 1. Initiate authorization
let device_resp = flow.initiate_device_authorization(&["user"]).await?;

// 2. Prompt user (example CLI output)
println!("Go to {} and enter code: {}",
    device_resp.verification_uri,
    device_resp.user_code
);

// 3. Poll for the token
let token = flow.poll_for_token(&device_resp.device_code, device_resp.interval).await?;

Full Example

For a complete working implementation of a CLI-based device flow, see the example in the repository:

• Device Flow Example

Use Cases

Device Flow is ideal for:

• CLI Applications: Authenticate users in terminal-based tools
• Smart TVs: Login on devices with limited input
• IoT Devices: Secure authentication for connected devices
• Gaming Consoles: User authentication without a keyboard
• Kiosk Mode: Public terminals or shared devices

// Example: CLI tool authentication
fn main() {
    println!("Welcome to MyCLI!");
    println!("You need to authenticate to continue.\n");
    
    // Start device flow
    let token = authenticate_with_device_flow().await?;
    
    // Save token for future use
    save_token_to_config(&token)?;
    
    println!("Authenticated! You can now use the CLI.");
}