Is it possible to invalidate a device code?

Hello :slight_smile:

Assuming I use the oauth/device/code from the “device authorization” flow to obtain a device code, verification uri etc., is it possible to invalidate the device code in any way?

My use case: the user opens the browser and inserts the user code but before confirming he “aborts” the login process on the device and starts a new one. The old code in this case would still be usable in the browser.

I know that the user is normally asked to pay attention to the user code being displayed in the device, but I’m wondering if there’s a way to “formally” invalidate the code, so that the browser would instead display an error of some kind if the old code (still technically valid) is used :slight_smile:

In the OAuth 2.0 Device Authorization Flow, once a device code is issued, there is typically no mechanism to invalidate the device code explicitly. The device code is considered valid until it expires based on the expiration time specified in the response.

However, you can implement a custom solution to handle your use case. Here’s a suggestion:

  1. Track the status of the device code on your server or in your application’s database.

  2. When a user starts a new login process, update the status of the previous device code to indicate that it is no longer valid or has been invalidated.

  3. When the browser attempts to use the old device code for verification, check the status of the device code on your server. If it is marked as invalid or revoked, return an appropriate error response to the browser.

By implementing this custom tracking and validation mechanism, you can effectively handle scenarios where a user starts a new login process and prevent the old device code from being used successfully in the browser.

1 Like