Not quite following your use-case. What type of application are you referring to? urn:ietf:wg:oauth:2.0:oob is generally useful for a CLI where there is no browser. It will make Keycloak output the authorization code and the user is required to copy/paste this to the application that can then use it to obtain tokens. OAuth 2.0 device authorization grant is a slightly better flow than the above. We have a open design proposal for it here https://github.com/keycloak/keycloak-community/pull/6, but so far we don't have any contributions around it. Finally, you can also use OAuth2 resource owner credential grant which allows exchanging user credentials directly with a token without redirect. This flow is rather limited do as you need to hardcode credential collection in the application which makes it not very flexible (no support for webauthn in the future, no support for identity brokering, etc..). It also poses a security risk as you are exposing user credentials directly to the applications, which will give applications potential to access everything the user can and not just what the user can access for the specific application, which is not great in a SSO scenario. On Wed, 21 Aug 2019 at 12:55, Frans van Niekerk <frans.vanniekerk(a)gmail.com&gt; wrote: