In general I would welcome a contribution for this specification. I would suggest starting with a design proposal [1] so we can discuss how it would look like for Keycloak. As we don't have any plans on the immediate roadmap for this a contribution would have to be a complete implementation of the specification, include sufficient level of documentation and testing. [1] https://github.com/keycloak/keycloak-community/tree/master/design On Tue, 19 Mar 2019 at 10:59, Hiroyuki Wada <h2-wada(a)nri.co.jp&gt; wrote:

Thank you for your comment. I understand, I'll write the design proposal! I think there are some differences in the use cases applied. OAuth2 Device Grant is applied for the devices with no browser or limited input capability. Also the device does not need to know the end-user when starting the authorization flow. OpenID Connect Client Initiated Backchannel Authentication Flow (CIBA) is for different use-case. CIBA is that the client is not under the control of the end-user and it can be physically separated from the authentication device. For example, there is an identity verification case like KYC which a client is running a computer of a person working in a call center, and an end-user authenticates with own smartphone at hand and federate it to the client when identifying with a phone call. It is most ideal to support both specifications in Keycloak, but I would like to start the simpler specification OAuth2 Device Grant first. Best regards, -- Hiroyuki Wada Nomura Research Institute, Ltd. h2-wada(a)nri.co.jp -------------------------------------------------------------------- このメールには、本来の宛先の方のみに限定された機密情報が含まれている 場合がございます。お心あたりのない場合は、送信者にご連絡のうえ、 このメールを削除してくださいますようお願い申し上げます。 PLEASE READ:This e-mail is confidential and intended for the named recipient only. If you are not an intended recipient, please notify the sender and delete this e-mail. --------------------------------------------------------------------