Device Flow (All About OAuth2)

1.2.2.2 Device Flow

The device flow allows you to authorize users for a headless app, such as a CLI tool or Git credential manager.

Overview of the device flow:

Your app requests device and user verification codes and gets the authorization URL where the user will enter the user verification code.
The app prompts the user to enter a user verification code at:
```
https://github.com/login/device.
```
The app polls for the user authentication status. Once the user has authorized the device, the app will be able to make API calls with a new access token.

Step 1—App Requests the Device and User Verification Codes from GitHub
```
POST https://github.com/login/device/code
```
Your app must request a user verification code and verification URL that the app will use to prompt the user to authenticate in the next step. This request also returns a device verification code that the app must use to receive an access token and check the status of user authentication.
1. Input Parameters
  
  client_id
  
  (string) Requirerd The client ID you received from GitHub for your app.
  
  scope
  
  (string) The scope that your app is requesting access to.
2. Response Parameters
```
{
  "device_code": "3584d83530557fdd1f46af8289938c8ef79f9dc5",
  "user_code": "WDJB-MJHT",
  "verification_uri": "https://github.com/login/device",
  "expires_in": 900,
  "interval": 5
}
```
  device_code
  
  (string) The device verification code is 40 characters and used to verify the device.
  
  user_code
  
  (string) The user verification code is displayed on the device so the user can enter the code in a browser. This code is 8 characters with a hyphen in the middle.
  
  verification_url
  The verification URL where users need to enter the user_code:
  https://github.com/login/device
  expires_in
  
  (integer) The number of seconds before the device_code and user_code expire. The default is 900 seconds or 15 minutes.
  
  interval
  
  (integer) The minimum number of seconds that must pass before you can make a new access token request (POST https://github.com/login/oauth/access_token) to complete the device authorization.
Step 2—Prompt the user to enter the user code in a browser
Your device will show the user verification code and prompt the user to enter the code at
```
https://github.com/login/device.
```
Step 3—App polls GitHub to check if the user authorized the device
Your app will make device authorization requests that poll
```
POST https://github.com/login/oauth/access_token
```
until the device and user codes expire or the user has successfully authorized the app with a valid user code. The app must use the minimum polling interval retrieved in step 1 to avoid rate limit errors.

The user must enter a valid code within 15 minutes (or 900 seconds). After 15 minutes, you will need to request a new device authorization code with
```
POST https://github.com/login/device/code
```
Once the user has authorized, the app will receive an access token that can be used to make requests to the API on behalf of a user.
1. Input Parameters
  client_id
  
  (string) Required The client ID you received from GitHub for your OAuth App.
  
  device_code
  (string) Required The device verification code you received from the request to:
  POST https://github.com/login/device/code
  grant_type
  (string) Required The grant type must be:
  urn:ietf:params:oauth:grant-type:device_code
2. Response
```
{
 "access_token": "e72e16c7e42f292c6912e7710c838347ae178b4a",
  "token_type": "bearer",
  "scope": "user"
}
```
Error Codes for the Device Flow
- authorization_pending
- slow_down
- expired_token
- unsupported_grant_type
- incorrect_client_credentials
- incorrect_device_code
- access_denied