Hi there,
We have new need in the organisation and we have to provide device authorization flow for device on with input is complex.
the flow is described here : keycloak-community/oauth2-device-authorization-grant.md at master · keycloak/keycloak-community · GitHub
But I can’t find any official doc about it. Is it implemented, plan to be or … ?
any help is much appreciated
have a good day
Ok seems I’m kind of lucky, this flow is available in keycloak 13.0 released last week 
Or maybe not so lucky as it seems to be implemented but yet there is no documentation.
There is no official documentation yet (“We need to add explanation about supporting the spec into keycloak-documentation”), but the “How to try it” (keycloak-community/oauth2-device-authorization-grant.md at master · keycloak/keycloak-community · GitHub) section in the doc gives decent instructions. Have you tried that? I went through it with Keycloak 13, and everything works. Let us know if you have specific questions.
Hi, i have this issue.
I cant enable OAuth 2.0 Device Grant Enabled as a public client only as private.
How do i enable it as public ?
I’m on ver 13
It may help if someone is looking for this thread
For Device flow
If you have Access Type set as public then you can use the device end point without client secret
curl --location --request POST ‘http://localhost:8080/auth/realms/Communi5/protocol/openid-connect/auth/device’
–data-urlencode ‘client_id=c5client’
However, if you have the Access Type set as confidential then you need to specify the client secret as well.
These settings are available in Clients page of keycloak.
Docker server version 23.0.7
I am receiving 405 on the “Device Authorization Endpoint” with or without the client authorization. I can’t find any reference to “Access Type”.
curl -X POST \
-d "client_id=osint-client" \
"http://localhost:9080/realms/osint-realm/protocol/openid-connect/device/auth"
I would also like to confirm whether the client device is a 1-1 or 1-Many association.
“Access Type” refers to the old admin console. In the new one, it’s the “Client authentication” switch that changes between public (OFF) and confidential client (ON). If you have it set to ON (that’s necessary to enable the Service account grant) to have to add client_secret=[Secret] to your device flow http requests.
The first request of the device and the user authentication with the code have to call the device endpoint (…/openid-connect/auth/device), but then the token has to be queried by the device at the standard token endpoint 8…/openid-connect/token)