Add support for OAuth 2.0 Device Authorization Grant (RFC 8628)

[psubocz]

I’d like to propose adding the Device Authorization Grant (RFC 8628), also known as the “device flow.” This grant is widely used by CLIs, TVs, and IoT devices where a browser is not available.

Why

• Fills the last major gap in Boruta’s OAuth2/OIDC coverage

• Provides a standards-based alternative to custom API keys or password grant flows

• Already supported by most major IdPs (Google, Microsoft, Auth0)

What’s needed

• New endpoint: POST /oauth/device_authorization returning device_code, user_code, verification_uri, etc.

• Token endpoint update: support grant_type=urn:ietf:params:oauth:grant-type:device_code with polling & errors (authorization_pending, slow_down, expired_token)

• Verification UI: simple page where user enters user_code and approves scopes

• Schema: table for device_codes (device_code, user_code, client_id, scope, status, expires_at, interval)

Questions

Would you be open to including this in Boruta auth core?

Should it live alongside the other grants, or be an optional extension?

[patatoid]

I think it would be a great addition to the implementation, thank you for highlighting the specification.

This can be a feature enabled by a switch in Boruta.Oauth.Client structure, helping configured client to have the flow active being disabled by default.

Device codes can be part of the oauth_tokens table, having a specific type for those.

How would you see the implementation of the specification?