Validate Bearer access_token from Device Authorization flow


I may be completely off in trying to work with a Device Authorization Code flow and this is just an XY problem.

I want Users of my app to be able to authenticate using a native desktop app. The app is actually an extension for a 3rd party app, so I don’t have full control of the code, just the extension and its limited capabilities.
I want users to login in from their browser, and pass some secret to the native app so that it can “pair” them with their identity. So that next time they open that extension, the extension can send data to the server on my app, and my server will be able to verify their identity (the extension user’s idetity).

Following the guide here:

I reach a point where the user has logged in and confirmed the user_code for their device_code. Now I make the following request to retrieve a token:

curl --request POST \
  --url '' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=urn:ietf:params:oauth:grant-type:device_code \
  --data device_code=AAAA-AAAA \
  --data 'client_id=aaaaaaa'

This returns a response similar to the following:


The access_token value is not a JWT, it’s a rather short string similar to the example above.
How can I validate this token when it is presented by a client? How can I find which user generated it and what permissions/scopes that user has?

Also, the docs state that:

“Public applications cannot use the client_credentials grant type. To use this grant type, you must indicate that the application is confidential rather than public. Use the Management API to set the token_endpoint_auth_method to client_secret_post or client_secret_basic.”

Where can I read more about this? Would it be unusual for a Native App with Device Authorization flow to be “confidential”?

Thanks for any help.

I just saw this question which linked to this FAQ:

From this I can see that if I GET with the opqaue token, then I receive a response, but it only shows me a JSON object containing the API URL and an array of Roles.

{"https://myapi/api/v1/roles":["Some Role"]}

What should I be doing do get this endpoint to display permissions, user details, etc.?

You should try requesting more scopes. When you make your initial Auth request, you send a list of scopes that determine what user data is returned. Also, are you seeing an ID token returned with your access token? This doc shows which scopes return what information:

This is my initial request for profile,email,openid:

curl --request POST \
  --url '' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data 'client_id=bbbbbbbbbbbbbbbbbbbb' \
  --data scope=profile,email,openid

All I get is the Opaque token:


And the only data it returns is my API and a single Role:

{"https://myapi/api/v1/roles":["Some Role"]}

Can you try separating your scopes with spaces instead of commas?

i.e. 'scope=profile email openid'

Thank you @dan.woda! That did it, I now get a proper JWT.

The solution worked for me thanks to the community and the members for the solution.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.