It is meant for devices with no browser, like kiosks, gaming consoles and so on.
The device requests authorization server and identifies itself with a device ID.
The Auth server generates a device_code, an end user_code and a verification_uri for the end user
The user takes an external device (for example a mobile), visits the verification_uri and types the user_code
During the above process, device will poll for the token endpoint on the authorization server to determine whether the particular user has authenticated and authorized this particular device.
finally it gets the access_token and refresh_token, which can be used!
For validating the token, device might not be able to do it, so an API gateway or API will be able to validate the token
Uses
Requirements to use it:
The device is already connected to the internet
The device can make HTTPS requests
The device must be able to communicate a URI to the end user for their authentication and eventual authorization
The user has a device available to visit the URI
Not for Mobile: Use Auth Code with PKCE
Not for IOT devices: No Authentication Flow is reliable for it yet and IOT devices usually do not have a way to communicate URI to the user