# Device Code Flow
The Device Code Flow uses the OAuth 2.0 Device Authorization Grant. It is meant to be used by IoT type devices (such as Smart TVs) that lack a browser or are input constrained.
> [!NOTE] This flow requires user interaction in a separate device.

## How it works!?
1. The device first sends a POST request to the `/devicecode` endpoint with it's `client_id` and the `scope` is requesting.
2. The response has the `message` which instructs the user to go to the `verification_uri` along with the `user_code` which the user will need to input in a different device to authenticate and authorize the scope for that device.
3. The `device_code`, is also returned as a parameter in the response and is used in a follow up POST request by the device, this time to the `/token` endpoint.
4. After the initial POST in step (3) request, the device will continue to poll (send requests)  `/token` endpoint until it receives a `200` (after a successful user login and consent of scope(s)) including the token(s) or a different error like scope issues, the user not logging or the flow not supported for that application.

### Visual of Device Code Flow
See the `Device_Code_Flow.md` for a visual representation using mermaid.

---   
## Prerequisites
To execute this flow, you must turn on "Allow public client flows". 

Here is a how to do this:
1. Got to Azure Portal
2. Entra ID > App registrations
3. Select your application
4. Under Manage select Authentication
5. In Advanced settings towards the bottom, you have "**Allow public client flows**" 
6. Turn the switch on to "Yes" to the right of "Enable the following mobile and desktop flows:"

In [None]:
import sys
sys.path.append('../')
import OAuth2_Flows
import pyperclip

Enter your tenant id, client id, and change the scope to whatever fits your needs.

In [None]:
tenant_id = ''
client_id = ''
# Change to whatever scope(s) you'd like to request
scope = 'openid offline_access https://graph.microsoft.com/.default' #offline_access is required for refresh token

## Device Authorization Request
The function will first send a POST request to the `/devicecode` endpoint.
- The user has 15 minutes (default) to sign-in after the request is sent

Then the function will use the `device_code` to poll the `\token` endpoint, until the user sign-in and the tokens returned in the response or something fails.

In [None]:
access_token, refresh_token, id_token = OAuth2_Flows.device_code_flow(tenant_id, client_id, scope)
print(f"Access Token: {access_token}")
print(f"ID Token: {id_token}")
print(f"Refresh Token: {refresh_token}")