Query String for User Code in Verification URI for OAuth Device Authorization Grant?

Question

Many other implementations of the device auth/code grant allow for the code to be embedded in the URI for user convenience in the query string. This is helpful as a user convenience typically enabled by a QR code of course specifying a more complete URI. Here are some altered examples below where I've stripped out the FQDN and modified the code (even though short lived and long expired).

• https://.../provider?shortcode=NXIBY

https://.../tv/activate?user_code=XHV-NJP-GZK&cxqr=cnL5NLai4YVD_tz52H_G2Q

https://.../hook/tvAuthorize?pin=20489741

I can't find the equivalent way to do this with MS Entra ID using their implementation of the Device Auth/Code Grant. Does anyone know if there's a query string that can be used for including the code so the user doesn't have to type it in? Additionally, if there's some best practice info (e.g. bad form for certain use cases) I'm open to that too of course.

Much appreciated for any feedback or advice.

Answer 1

Hello @Kneebone, Brian,

Thank you for posting your query on Microsoft Q&A.

Based on your description, I understand that you are looking to set up an application using the OAuth 2.0 device code flow. Specifically, you want to include "user_code": "XXXR9P379" directly in the "verification_uri": "https://microsoft.com/devicelogin" so that users do not need to manually enter the code, thereby eliminating the need for user interaction. Please let me know if I have misunderstood your requirement.

As per the design and documentation for the device code flow, the process begins with the client sending a POST request to:

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/devicecode  
Content-Type: application/x-www-form-urlencoded  

With the following parameters:

client_id=00001111-aaaa-2222-bbbb-3333cccc4444  
&scope=user.read%20openid%20profile  

The device authorization service responds with the following details:

{
    "user_code": "XXX9P379",
    "device_code": "HAQABIQEAAABVrSpeuWamRam2jAF1XRQEikFPgcpw4lW0XFolZzBxnPxzGcGjyIX5hAibiCzXo45xWhsYXwmEMDzBNvtABDXGLoWBTwY7r2eS3Cc4N4nzR0VSxasxahsxkshddrTycOXm0uKjNashajydnndakahHirCgGAGLMa6wutWgxKMTeCuX4pDGq4gAA",
    "verification_uri": "https://microsoft.com/devicelogin",
    "expires_in": 900,
    "interval": 5,
    "message": "To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code XXXR9P379 to authenticate."
}

After receiving the user_code and verification_uri, the client displays these values and directs the user to sign in using their mobile or PC browser.

From this point, the user has 15 minutes to visit the verification_uri, enter the provided user_code, and complete authentication.

While the user is authenticating at the verification_uri, the client should poll the /token endpoint using the device_code to obtain the requested token. The token is generated once the user completes authentication.

However, based on the OAuth 2.0 device code flow, embedding the user_code directly into the verification_uri (e.g., as a query string) is not supported. User interaction is required, and the user must manually enter the code to complete the authentication process. I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Thanks,
Raja Pothuraju.