Flow for IoT device with no display or input

Hello,

We currently have a product that is an IoT device with no display or input method.
In order to activate it with a user account, we use a native mobile app that communicates with a Spring Boot web app that responds to the Password Flow, and sends back access+refresh tokens.

The access+refresh tokens are then sent from mobile app to IoT via encrypted channel, and the IoT is then able to stay logged in forever by refreshing the access token on its own.

It has worked for us the past couple years because we own the mobile app/web app/IoT device. However, I’m aware that it is not optimal, and does not support federated identity (dealbreaker).

What flow would you suggest to authenticate the user on mobile app, have IoT device be logged on forever (unless credentials are no longer valid) and supports federated identities (ex. Facebook)?

Thanks in advance!

Hi there!

I would recommend the Client Credentials, Device Flow or Authorization + PKCE Flow. They seems to suit what you are looking for.

https://developer.okta.com/books/api-security/authn/federated/

They all support federated identities.

However I don’t recommend Resource Owner Password Flow, please avoid using this flow.

The OAuth device authorization grant was specifically designed for this purpose (https://tools.ietf.org/html/rfc8628)

Hello,

Thank you for your replies!
Yes, I am fully aware of Device / Auth Code / Client Credentials flows and I did read that article on how to add Device Flow to Okta. :slight_smile:

Another auth provider suggests using the Client Credentials flow for IoT (machine to machine) but I’m ambivalent… Generating a new Client ID / Secret pair for each end-user IoT product does not seem very efficient, and it would need to be matched with the customer account as well.

On the other hand, the Device Flow looks appropriate indeed but I’m a bit confused on how the “user code” should be handled when the IoT does not have a display. In that case, is it acceptable that the client device (IoT) returns both user_code and verification_uri to the secondary device to input them automatically during authentication?

Thanks in advance