PSA to all TV app developers: when a user first signs-in please add a QR code that contains the “sign-in through your browser” URL along with the unique code as a query parameter. It will delight your users who have a phone that supports it (most do now) Examples 👇
6
4
48
I'm very curious why the code but not the QR is obfuscated in the first one, but the QR and not the code is obfuscated in the second one... they contain the same data! But yes this is a good UX improvement on top of the OAuth device flow 👍
1
2
I thought the exact same thing but was too lazy to get my laptop out so I could scan the pictures with my phone to check if they indeed contain the unique code too or just the same generic URL 😂 in case it wasn’t obvious they’re not my screenshots. Hopefully the codes expire.
1
Replying to @_jayphelps
They do! They also don't (can't) contain any identifying information at this stage in the flow. The only risk in sharing these screenshots is if you share them within like 10 minutes of seeing it, and then the "attacker" can log in their account to your TV so 🤷‍♂️

Jan 5, 2022 · 6:10 AM UTC

2
Replying to @aaronpk
Hopefully so! I wouldn’t personally bet that the devs of every TV app correctly expire these codes within a short time frame 😅 I’ve seen far worse security gaffes, I’m sure you have too.
1
Fair! Thankfully these codes come from the authorization server rather than the app, so unless you're also building our own AS there's less of a chance of messing that one up! Your comment about the QR code is spot on tho! That's an optimization the app dev can do for better UX