I am wondering if it’s possible to use the OAuth2 device flow to authenticate devices (TV’s) that are input-constrained: I have a process in mind where on initial set up of the TV’s, installers have to use their secondary device (smartphone) to authenticate the TV’s by entering a device code that is shown on-screen.
But in the regular OAuth2 device flow, the access tokens the TV’s receive are then bound to that specific installer’s user_id. I’d like to have a system where the TV’s itself are the the “resource owner”. But is it somehow possible to bind access tokens to a device id instead of a user id?
Since the TV’s could be located in public areas, they cannot be considered safe to store a client_secret. So I guess that I’m not able to use the client_credentials flow in this case, where the tokens would not bound to a specific user.
Thanks in advance for any ideas or suggestions!