15Haz
Odd history of OAuth 2 device flow
OAuth 2 device flow has an odd history. It's found in early versions of the RFC, but was then taken out seemingly without an explanation I could find. Recently, a new draft was proposed specifically to reintroduce it independently.
The device flow is suitable for clients executing on devices that do not have an easy data-entry method and where the client is incapable of receiving incoming requests from the authorization server (incapable of acting as an HTTP server).
The other flows do not cover the scenario addressed by device flow so it has utility. Google supports it and has an example of it in action. Can anyone shed any light on why device flow was dropped from the OAuth 2 standard - are there security concerns we should know about?
