Cross-device flows enable a user to initiate an authorization flow on one device (the initiating device) and then use a second, personally trusted, device (authorization device) to authorize access to a resource (e.g., access to a service).
These flows are increasingly popular and typically involve using a mobile phone to scan a QR code or enter a user code displayed on an initiating device (e.g., Smart TV, Kiosk, Personal Computer etc).
The above is an excerpt from a new IETF "Best current practice" draft about Cross-Device Flows.
IdentityServer implements both the OAuth 2.0 Device Authorization Grant (RFC 8628) as well as the OpenID Connect Client-Initiated Backchannel Authentication (CIBA).
While both protocols can be used for cross-device flows, they have different security properties.
Further:
The channel between the initiating device and the authorization device is unauthenticated and relies on the user's judgment to decide whether to trust a QR code, user code, or the authorization request pushed to their authorization device.
Several publications have emerged in the public domain, describing how the unauthenticated channel can be exploited using social engineering techniques borrowed from phishing. Unlike traditional phishing attacks, these attacks don't harvest credentials. Instead, they skip the step of collecting credentials by persuading users to grant authorization using their authorization devices."
If you have an existing or planned deployment of a cross device flow, we highly recommend reading this paper. It contains lots of practical information and helps with protocol selection.
Thanks for stopping by!
We hope this post helped you on your identity and security journey. If you need a hand with implementation, our docs are always open. For everything else, come hang out with the team and other developers on GitHub.
If you want to get early access to new features and products while collaborating with experts in security and identity standards, join us in our Duende Product Insiders program. And if you prefer your tech content in video form, our YouTube channel is the place to be. Don't forget to like and subscribe!
Questions? Comments? Just want to say hi? Leave a comment below and let's start a conversation.