Merge pull request #5765 from hwupathum/app-native

hwupathum · web-flow · commit 4e093b84fb3f · 2025-12-10T11:07:07.000+05:30
Add device auth flow app-native documentation
diff --git a/en/asgardeo/docs/references/app-native-authentication.md b/en/asgardeo/docs/references/app-native-authentication.md
@@ -5,4 +5,6 @@
 {% include "../../../includes/references/app-native-authentication.md" %}
 {% include "../../../includes/references/push-notification-app-native-reference.md" %}
 {% set session_control_scenario_id = "7" %}
-{% include "../../../includes/references/concurrent-session-based-access-control-app-native-reference.md" %}
+{% include "../../../includes/references/concurrent-session-based-access-control-app-native-reference.md" %}
+{% set api_oauth2_path = "https://api.asgardeo.io/t/{organization_name}/oauth2" %}
+{% include "../../../includes/references/device-flow-app-native-reference.md" %}
diff --git a/en/identity-server/next/docs/references/app-native-authentication.md b/en/identity-server/next/docs/references/app-native-authentication.md
@@ -5,4 +5,6 @@
 {% include "../../../../includes/references/app-native-authentication.md" %}
 {% include "../../../../includes/references/push-notification-app-native-reference.md" %}
 {% set session_control_scenario_id = "7" %}
-{% include "../../../../includes/references/concurrent-session-based-access-control-app-native-reference.md" %}
+{% include "../../../../includes/references/concurrent-session-based-access-control-app-native-reference.md" %}
+{% set api_oauth2_path = "https://localhost:9443/oauth2" %}
+{% include "../../../../includes/references/device-flow-app-native-reference.md" %}
diff --git a/en/includes/guides/authentication/app-native-authentication/handle-advanced-login-scenarios.md b/en/includes/guides/authentication/app-native-authentication/handle-advanced-login-scenarios.md
@@ -19,7 +19,7 @@ To do so,
 
 1. In the {{product_name}} Console, go to **Connections** and select your IdP.
 
-2. In its **General** tab, 
+2. In its **General** tab,
 
     - under **issuer** configure a trusted token issuer.
     - under **Certificates**, configure either upload a certificate or configure a JWKS Endpoint.
@@ -29,13 +29,12 @@ To do so,
 !!! tip
     Refer to the [sample scenario]({{base_path}}/references/app-native-authentication/#scenario-4-user-selects-federated-authentication-native-mode) to see it in action.
 
-
 ### Redirect mode
 
 In the rediect mode, the application redirects the user to the IdP as it does in a [conventional federated login flow]({{base_path}}/guides/authentication/federated-login/). However, under the hood, app-native authentication handles federated authentication slightly differently.
 
 !!! note "How is it different?"
-    
+
     Although federated login flows in both [conventional login]({{base_path}}/guides/authentication/federated-login/) and app-native authentication redirect the user to the external IdP, there is a subtle difference between them.
 
     - **In a conventional flow**, 
@@ -94,7 +93,7 @@ The number of login options a login step has is indicated by the `stepType` para
 
 If it is set to:
 
-- `AUTHENTICATOR_PROMPT`, it is a login step with a single login option. 
+- `AUTHENTICATOR_PROMPT`, it is a login step with a single login option.
 
     The following is part of the response for a single-option login step.
 
@@ -111,8 +110,8 @@ If it is set to:
         ...
     }   
     ```
- 
-- `MULTI_OPTIONS_PROMPT`, it is a login step with multiple login options. 
+
+- `MULTI_OPTIONS_PROMPT`, it is a login step with multiple login options.
 
     The following is part of the response for a multi-option login step.
 
@@ -132,7 +131,7 @@ If it is set to:
 
 In app-native authentication, multi-option steps behave slightly differently compared to a single-option step.
 
-Some authenticators such as `Username & Password` which only require user input, sends its metadata directly in the response. For other authenticators which require a form of 'initiation', the response does not contain the metadata for the authenticator. 
+Some authenticators such as `Username & Password` which only require user input, sends its metadata directly in the response. For other authenticators which require a form of 'initiation', the response does not contain the metadata for the authenticator.
 
 !!! note "Some authenticatiors that require 'initiation'"
 
@@ -145,8 +144,8 @@ If during login, the user selects such an authenticator, the application needs t
 !!! tip
     Refer to the [sample scenario]({{base_path}}/references/app-native-authentication/#scenario-3-user-selects-passkey-login-out-of-multiple-options) to see it in action.
 
-
 ## Handle Single Sign-On
+
 Single Sign-On (SSO) for app-native authentication can be handled in the following two ways.
 
 ### Cookie based SSO
@@ -188,4 +187,23 @@ Given below is a sample authorization request using the `isk` value as the `sess
     ```
 
 !!! note
-    If both cookie based SSO and SessionId based SSO are used, cookie based SSO takes precedence.
+    If both cookie-based SSO and SessionId-based SSO are used, cookie-based SSO takes precedence.
+
+{% if product_name == 'Asgardeo' or is_version >= "7.2.0" %}
+
+## Handle device authorization flow
+
+Device authorization flow lets users log in on input-constrained devices. Examples include smart TVs, printers, and gaming consoles without browsers or keyboards.
+
+To enable device authorization flow:
+
+1. Register your application in the {{product_name}} Console.
+2. Enable **Device Code** under **Grant Types** in your application settings.
+3. Enable [app-native authentication]({{base_path}}/guides/authentication/app-native-authentication/add-app-native-authentication/#enable-app-native-authentication) for your application.
+
+For more information, see [device authorization grant]({{base_path}}/references/grant-types/#device-authorization-grant).
+
+!!! tip
+    Refer to the [sample scenario]({{base_path}}/references/app-native-authentication/#scenario-8-device-authorization-flow) to see it in action.
+
+{% endif %}
diff --git a/en/includes/references/device-flow-app-native-reference.md b/en/includes/references/device-flow-app-native-reference.md
@@ -0,0 +1,154 @@
+### Scenario 8: Device authorization flow
+
+The application goes through the following steps to complete app-native authentication using the device authorization flow.
+
+- **Step 1**: Get the required codes.
+
+    The app initiates a login request to the device authorization endpoint.
+
+    !!! note
+        The response contains the `user_code` and `device_code` required for the client device.
+
+    === "Request (`/device_authorize`)"
+
+        ```bash
+        curl --location '{{api_oauth2_path}}/device_authorize/'
+        --header 'Accept: application/json'
+        --header 'Content-Type: application/x-www-form-urlencoded'
+        --data-urlencode 'client_id=XWRkRNkJDeTiR5MwHdXROGiJka'
+        --data-urlencode 'scope=openid profile'
+        ```
+    === "Response (`/device_authorize`)"
+
+        ```json
+        {
+            "user_code": "s2DqSNK",
+            "device_code": "d3fe0db1-2334-48fa-b7d9-821ecfad10d5",
+            "interval": 5,
+            "verification_uri": "{{api_oauth2_path}}/authenticationendpoint/device.do",
+            "verification_uri_complete": "{{api_oauth2_path}}/authenticationendpoint/device.do?user_code=s2DqSNK",
+            "expires_in": 600
+        }
+        ```
+
+- **Step 2**: Authorize the client device.
+
+    The app on the client device calls the device endpoint with the `user_code` to initiate authentication.
+
+    !!! note
+        Set `response_mode=direct` to initiate app-native authentication.
+
+    === "Request (`/device`)"
+
+        ```bash
+        curl --location '{{api_oauth2_path}}/device/'
+        --header 'Accept: application/json'
+        --header 'Content-Type: application/x-www-form-urlencoded'
+        --data-urlencode 'user_code=s2DqSNK'
+        --data-urlencode 'response_mode=direct'
+        ```
+    === "Response (`/device`)"
+
+        ```json
+        {
+            "flowId": "95339089-72d1-4825-80fe-ab7864f4943b",
+            "flowStatus": "INCOMPLETE",
+            "flowType": "AUTHENTICATION",
+            "nextStep": {
+                "stepType": "AUTHENTICATOR_PROMPT",
+                "authenticators": [
+                    {
+                        "authenticatorId": "QmFzaWNBdXRoZW50aWNhdG9yOkxPQ0FM",
+                        "authenticator": "Username & Password",
+                        "idp": "LOCAL",
+                        "metadata": {
+                            "i18nKey": "authenticator.basic",
+                            "promptType": "USER_PROMPT",
+                            "params": [
+                                {
+                                    "param": "username",
+                                    "type": "STRING",
+                                    "order": 0,
+                                    "i18nKey": "username.param",
+                                    "displayName": "Username",
+                                    "confidential": false
+                                },
+                                {
+                                    "param": "password",
+                                    "type": "STRING",
+                                    "order": 1,
+                                    "i18nKey": "password.param",
+                                    "displayName": "Password",
+                                    "confidential": true
+                                }
+                            ]
+                        },
+                        "requiredParams": [
+                            "username",
+                            "password"
+                        ]
+                    }
+                ]
+            },
+            "links": [
+                    {
+                "name": "authentication",
+                "href": "{{authn_path}}",
+                "method": "POST"
+                }
+            ]
+        }
+        ```
+
+- **Step 3**: Carry the `flowId` received in the above response and request the `/authn` endpoint for username & password authentication.
+
+    === "Request (`/authn`)"
+
+        ```bash
+        curl --location '{{authn_path}}'
+        --header 'Content-Type: application/json'
+        --data '{
+            "flowId": "95339089-72d1-4825-80fe-ab7864f4943b",
+            "selectedAuthenticator": {
+                "authenticatorId": "QmFzaWNBdXRoZW50aWNhdG9yOkxPQ0FM",
+                "params": {
+                    "username": "username",
+                    "password": "password"
+                }
+            }
+        }'
+        ```
+
+    === "Response (`/authn`)"
+
+        ```json
+        {
+            "flowStatus": "SUCCESS_COMPLETED",
+            "authData": {
+                "app_name": "Mobile App"
+            }
+        }
+        ```
+
+- **Step 4**: Once the user completes authentication, the app on the client device polls the token endpoint with the `device_code` to obtain the access token.
+
+    === "Request (`/token`)"
+
+        ```bash
+        curl --location '{{api_oauth2_path}}/token/'
+        --header 'Content-Type: application/x-www-form-urlencoded'
+        --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:device_code'
+        --data-urlencode 'device_code=d3fe0db1-2334-48fa-b7d9-821ecfad10d5'
+        --data-urlencode 'client_id=XWRkRNkJDeTiR5MwHdXROGiJka'
+        ```
+
+    === "Response (`/token`)"
+
+        ```json
+        {
+            "access_token": "74d610ab-7f4a-3b11-90e8-279d76644fc7",
+            "refresh_token": "fdb58069-ecc7-3803-9b8b-6f2ed85eff19",
+            "token_type": "Bearer",
+            "expires_in": 3600
+        }
+        ```
