惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

美团技术团队
W
WeLiveSecurity
Stack Overflow Blog
Stack Overflow Blog
L
LangChain Blog
S
SegmentFault 最新的问题
Apple Machine Learning Research
Apple Machine Learning Research
Google DeepMind News
Google DeepMind News
F
Full Disclosure
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
The Register - Security
The Register - Security
G
Google Developers Blog
C
Check Point Blog
GbyAI
GbyAI
A
About on SuperTechFans
V
Vulnerabilities – Threatpost
T
The Blog of Author Tim Ferriss
T
Tor Project blog
AWS News Blog
AWS News Blog
Cyberwarzone
Cyberwarzone
C
CERT Recently Published Vulnerability Notes
MongoDB | Blog
MongoDB | Blog
Latest news
Latest news
aimingoo的专栏
aimingoo的专栏
U
Unit 42
Y
Y Combinator Blog
P
Privacy International News Feed
Cisco Talos Blog
Cisco Talos Blog
S
Securelist
S
Schneier on Security
雷峰网
雷峰网
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Attack and Defense Labs
Attack and Defense Labs
P
Proofpoint News Feed
C
Cisco Blogs
Webroot Blog
Webroot Blog
T
Troy Hunt's Blog
Google Online Security Blog
Google Online Security Blog
月光博客
月光博客
P
Privacy & Cybersecurity Law Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
罗磊的独立博客
Cloudbric
Cloudbric
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Hacker News: Ask HN
Hacker News: Ask HN
H
Hackread – Cybersecurity News, Data Breaches, AI and More
博客园 - 司徒正美
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Microsoft Security Blog
Microsoft Security Blog

Stack Overflow Blog

Paging Charity! How can engineering leaders avoid becoming Bond villains? Code isn’t the only thing causing your production failures Your AI shipped a backend that boots. That is the whole problem. The 2026 Developer Survey is now open (for human developers only)! Oh the places you’ll go with spatial data Dispatches from O'Reilly: From capabilities to responsibilities You don’t understand DNS like you think you do The new bottleneck - Stack Overflow AI agents are a confused deputy with the keys to your kingdom If context is king, architecture is the castle Selenium vs Cypress vs Playwright: Choosing Your Test Automation Framework AI agents expose the security checks you never actually wrote Designing CherryScript: Optimizing Data-Driven Workflows via Custom Python-Based Interpreters Paging Charity? How do I get my leaders to stop running teams Into the ground? Developers are emotionally attached to their tools When the cost of code approaches zero, what does engineering leadership look like? Announcing Stack Overflow for Agents Creating checkpoints by gaslighting a Postgres database What can 500 years of journalism teach developers about AI trustworthiness? Making the OWASP top ten in the vibe code era What it takes to be a player in the international AI game Best of the Heap: First post of the past The find out stage of AI is just supply chain and password protection In an AI world, the most valuable developers will be both artisans and builders Agents on a leash: Agentic AI remains mostly single-agent and monitored at work Do you have what it takes to run AI in production? Dispatches from O'Reilly: The accidental orchestrator Breaking your AI storage bottlenecks Coding agents are giving everyone decision fatigue Pack your agentic stack in Slack Your fridge could be a threat to national security Interviews aren’t about you (sorry) “You can't vibe code scale”: What the AI hype gets wrong about software engineering No Dumb Questions: What is cloud computing and why is everyone doing it? Observability and human intuition in an AI world How Braze’s CTO is rethinking engineering for the agentic area You shipped it fast. But did you ship it right? Building a Google Drive Sync Engine that Survives MV3 Service Workers Connecting the dots for accurate AI When the Sensor Starts Thinking: SnortML, Agentic AI, and the Evolving Architecture of Intrusion Detection Introducing the Heap, the software engineering blog for everyone Compile-Time Map and Compile-Time Mutable Variable with C++26 Reflection No Dumb Questions: What is an MCP server and why do I care? AI giveth and AI taketh CPU How we replaced Ingress-NGINX at Stack Overflow What (un)exactly do you mean by semantic search? Dispatches from O'Reilly: Fast paths and slow paths Time is a construct but it can still break your software The Worst Coder in the World goes agentic: building a leaderboard cracking AI Turning scattered knowledge into trusted intelligence: Stack Internal 2026.3 Your LLM issues are really data issues Welcome to the “find out” stage of AI Lights, camera, open source! - Stack Overflow Black box AI drift: AI tools are making design decisions nobody asked for How to get multiple agents to play nice at scale We still need developer communities No country left behind with sovereign AI Human input needed: take our survey on AI agents Why AI hasn't replaced human expertise—and what that means for your SaaS stack Who needs VCs when you have friends like these? The messy truth of your AI strategies Gen Z needs a knowledge base (and so do you) He designed C++ to solve your code problems Seizing the means of messenger production What the AI trust gap means for enterprise SaaS How can you test your code when you don’t know what’s in it? Prevent agentic identity theft - Stack Overflow Building shared coding guidelines for AI (and people too) Multi-stage attacks are the Final Fantasy bosses of security After all the hype, was 2025 really the year of AI agents? AI is becoming a second brain at the expense of your first one Building a global engineering team (plus AI agents) with Netlify Keeping the lights on for open source Domain expertise still wanted: the latest trends in AI-assisted knowledge for developers Open source for awkward robots The context problem: Why enterprise AI needs more than foundation models Even the chip makers are making LLMs Organizing productive platform teams - Stack Overflow Building brains for bulldozers - Stack Overflow DeveloperWeek 2026: Making AI tools that are actually good AI-assisted coding needs more than vibes; it needs containers and sandboxes No need for Ctrl+C when you have MCP What’s new at Stack Overflow: March 2026 To live in an AI world, knowing is half the battle Beyond block or allow: How pay-per-crawl is reshaping public data monetization Your sneak peek at the redesigned Stack Overflow Dogfood so nutritious it’s building the future of SDLCs Defense against uploads: Q&A with OSS file scanner, pompelmi Even GenAI uses Wikipedia as a source Why Stack Overflow and Cloudflare launched a pay-per-crawl model Mind the gap: Closing the AI trust gap for developers Data is the new oil, and your database is the only way to extract it Even your voice is a data problem How everyone and anyone can use AI for good Is anyone using AI for good? The logos, ethos, and pathos of your LLMs Why demand for code is infinite: How AI creates more developer jobs AI attention span so good it shouldn’t be legal Code smells for AI agents: Q&A with Eno Reyes of Factory Generating text with diffusion (and ROI with LLMs)
OAuth 2.0 – Device flow explained for Engineers, especially for Backend Engineers
Srikanth Srinivas · 2026-05-12 · via Stack Overflow Blog

First time I tried to login to Netflix at a hotel TV I almost gave up. The remote was having only four arrow keys and a number pad. My password was 18 characters with symbols. Whoever designed the login screen had either never used it themselves, or they had decided suEering builds character.

After few years, the same TV’s started doing something different. They showed us a short code and an URL. I opened phone, typed the URL, entered the code and we are in. No remote-control circus. No password on a TV.

That is OAuth 2.0 device authorization grant. Most of the people just call it that device flow.

If we run aws sso login, gh auth login, or signed into Spotify on an Xbox, we have already used it. And if you are build a backend for a CLI, an IOT device, a smart TV app or anything where typing a password is really painful or not safe, we should end up implementing it sooner or later.

Here is the step by step

Step1: Assume we are building a CLI called mycli. The user runs:

$ mycli login

Below will happen behind the scenes.

Step 1: The CLI asks for a code

The CLI sends a POST to authorization server:

POST /oauth/device_authorization HTTP/1.1
Host: auth.example.com
Content-Type: application/x-www-form-urlencoded
client_id=mycli-prod&scope=read:repos%20write:repos

The server responds with something like this:

{
"device_code": "GmRhmhcxhwAzkoEqiMEg_DnyEysNkuNhszIySk9eS",
"user_code": "WDJB-MJHT",
"verification_uri": "https://example.com/device",

"verification_uri_complete": "https://example.com/device?user_code=WDJB-
MJHT",

"expires_in": 1800,
"interval": 5

}

Five fields actually matter:

device_code is a long, opaque string. The CLI keeps this private.

user_code is the short, human-friendly one. The CLI shows this on screen.

verification_uri is where the user goes to enter the code.

expires_in is how long the exchange is valid. Usually 15 to 30 minutes.

interval is how often the CLI is allowed to poll for the token. We will get to that.

Step 2: the CLI tells the user what to do

Your CLI prints something like:

Open this URL in your browser:
https://example.com/device

Enter this code:
  WDJB-MJHT
Waiting for confirmation...

The user goes to their phone or laptop, opens the URL enter the code and signs in normally with SSO and approves the request.

Step 3: CLI polls the token endpoint

When we are using phone, the CLI is in the loop and every five seconds it try to reach the server and get the status

POST /oauth/token HTTP/1.1
Host: auth.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=urn:ietf:params:oauth:grant-type:device_code
&device_code=GmRhmhcxhwAzkoEqiMEg_DnyEysNkuNhszIySk9eS
&client_id=mycli-prod

The server’s response is one of the five things, this is the part most of us will get wrong on the first implementation.

Five response we should handle

Authorization_pending – Users not approved yet

slow_down – you are polling too fast. The RFC says you must increase your interval by at least 5 seconds

expired_token – Exchange ran out of time, stop polling

access_denied – User clicked no or closed the page. Stop polling

success – the token is in the body, like a normal OAuth response:

{
"access_token": "eyJhbGciOi...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "v1.MRn7...",
"scope": "read:repos write:repos"
}

That is the whole protocol. If we can handle those five cases, we will have a working device flow client.

1. Treating user_code like it is secret. It is not. The user types it into their phone. Your job is to make it short enough to read but unguessable. The standard is 8 to 9 alphanumeric characters with the confusing ones removed (no 0, O, I, 1). GitHub uses 8 characters in the format XXXX XXXX. That is a good template.

2. No rate limiting on the verification page. The endpoint where users enter the user_code is a brute-force target. With a 9-character code from a reduced alphabet, you have plenty of theoretical entropy, but pending codes at any given moment number in the thousands. Lock it down. Per-IP, per-session, exponential backoff after failures.

3. Ignoring slow_down. I have seen clients that sleep for the same interval forever, no matter what the server says. That works in dev. In production it gets you flagged as abusive.

4. Not expiring the user_code immediately on use. Once the user submits the code, mark it consumed. Atomically. If your check-then-mark logic is not transactional, you have a real bug waiting to happen.

5. Confusing this with PKCE. Device flow is for input-constrained devices. PKCE is for public clients (mobile apps, SPAs) that cannot keep a secret. They look similar on the surface (no client secret) but solve different problems. You sometimes need both. Device flow + PKCE is fine and increasingly common.

The device flow is one of those protocols that looks complicated in the RFC but actually fits on a napkin. Two endpoints, five response cases, Once you have built it once, you will wonder why anyone ever bothered with passwords on TVs.

If you are shipping a CLI today and still asking users to paste personal access tokens into a prompt, do them a favor. Spend an afternoon implementing this. Your users will notice.