OAuth 2.0 Device Authorization Grant (device flow) enables authentication on input-constrained devices like CLIs, smart TVs, and IoT devices without requiring users to type passwords. The flow involves two endpoints: the device requests a short user code and verification URL, displays them to the user, then polls the token endpoint until the user approves on a secondary device. Five polling response states must be handled correctly: authorization_pending, slow_down, expired_token, access_denied, and success. Common implementation pitfalls include treating user_code as secret, ignoring slow_down signals, missing rate limiting on the verification page, non-atomic code consumption, and confusing device flow with PKCE.
Sort: