OneIdentity
diff --git a/‎DEVICE-CODE-PLAN.md‎
Lines changed: 995 additions & 0 deletions b/‎DEVICE-CODE-PLAN.md‎
Lines changed: 995 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 27 additions & 0 deletions b/‎README.md‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎SafeguardDotNet.Core.sln‎
Lines changed: 13 additions & 0 deletions b/‎SafeguardDotNet.Core.sln‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎SafeguardDotNet.DeviceCodeLogin/DeviceCodeInfo.cs‎
Lines changed: 24 additions & 0 deletions b/‎SafeguardDotNet.DeviceCodeLogin/DeviceCodeInfo.cs‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎SafeguardDotNet.DeviceCodeLogin/DeviceCodeLogin.cs‎
Lines changed: 222 additions & 0 deletions b/‎SafeguardDotNet.DeviceCodeLogin/DeviceCodeLogin.cs‎
Lines changed: 222 additions & 0 deletions
diff --git a/‎SafeguardDotNet.DeviceCodeLogin/DeviceCodeLoginParameters.cs‎
Lines changed: 39 additions & 0 deletions b/‎SafeguardDotNet.DeviceCodeLogin/DeviceCodeLoginParameters.cs‎
Lines changed: 39 additions & 0 deletions
@@ -134,6 +134,7 @@ enabled this grant type, calls using this method will fail.
 | Package | NuGet | Use Case |
 |-|-|-|
 | [SafeguardDotNet.BrowserLogin](SafeguardDotNet.BrowserLogin) | `OneIdentity.SafeguardDotNet.BrowserLogin` | Interactive apps — opens the default browser for login (cross-platform) |
+| [SafeguardDotNet.DeviceCodeLogin](SafeguardDotNet.DeviceCodeLogin) | `OneIdentity.SafeguardDotNet.DeviceCodeLogin` | Headless/remote devices — displays a URL and code for the user to authenticate on another device |
 | [SafeguardDotNet.PkceNoninteractiveLogin](SafeguardDotNet.PkceNoninteractiveLogin) | `OneIdentity.SafeguardDotNet.PkceNoninteractiveLogin` | Automated/programmatic scenarios — no browser required |
 | [SafeguardDotNet.GuiLogin](SafeguardDotNet.GuiLogin) | `OneIdentity.SafeguardDotNet.GuiLogin` | Windows Forms desktop apps — embedded WebView2 dialog |
 
@@ -163,6 +164,32 @@ var connection = DefaultBrowserLogin.Connect("safeguard.sample.corp");
 Console.WriteLine(connection.InvokeMethod(Service.Core, Method.Get, "Me"));
 ```
 
+### Device Code Login (Recommended for Headless/Remote Devices)
+
+When there is no browser on the local machine (SSH sessions, containers, IoT
+devices), use the Device Code flow. The user authenticates on a separate device:
+
+```PowerShell
+PS> dotnet add package OneIdentity.SafeguardDotNet.DeviceCodeLogin
+```
+
+```C#
+using OneIdentity.SafeguardDotNet;
+using OneIdentity.SafeguardDotNet.DeviceCodeLogin;
+
+var connection = DeviceCodeLogin.Connect("safeguard.sample.corp",
+    new DeviceCodeLoginParameters
+    {
+        DisplayCallback = info =>
+        {
+            Console.WriteLine($"Visit: {info.VerificationUri}");
+            Console.WriteLine($"Enter code: {info.UserCode}");
+        },
+    },
+    ignoreSsl: true);
+Console.WriteLine(connection.InvokeMethod(Service.Core, Method.Get, "Me"));
+```
+
 ### PKCE Non-Interactive Login (Recommended for Automation)
 
 When you need programmatic authentication without a browser (e.g. automated
 
@@ -29,6 +29,10 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "SafeguardDotNetPkceNoninter
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "SampleA2aService", "Samples\SampleA2aService\SampleA2aService.csproj", "{0149D659-78E3-476B-81F1-A80BDFA6F8A9}"
 EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "SafeguardDotNet.DeviceCodeLogin", "SafeguardDotNet.DeviceCodeLogin\SafeguardDotNet.DeviceCodeLogin.csproj", "{6802F7A9-CD3D-4608-9EEC-C98636DA2708}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "SafeguardDotNetDeviceCodeLoginTester", "Test\SafeguardDotNetDeviceCodeLoginTester\SafeguardDotNetDeviceCodeLoginTester.csproj", "{20D9ED51-6852-44FC-A413-5EC7631139F9}"
+EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Test", "Test", "{DD89D86B-68DA-4EB0-8EBC-60DE3DC2B084}"
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Samples", "Samples", "{867EB36D-7893-444D-900D-29733E8E2636}"
@@ -108,6 +112,14 @@ Global
 		{1B11B367-2F76-49EE-A820-2A0A8B1721B1}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{1B11B367-2F76-49EE-A820-2A0A8B1721B1}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{1B11B367-2F76-49EE-A820-2A0A8B1721B1}.Release|Any CPU.Build.0 = Release|Any CPU
+		{6802F7A9-CD3D-4608-9EEC-C98636DA2708}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{6802F7A9-CD3D-4608-9EEC-C98636DA2708}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{6802F7A9-CD3D-4608-9EEC-C98636DA2708}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{6802F7A9-CD3D-4608-9EEC-C98636DA2708}.Release|Any CPU.Build.0 = Release|Any CPU
+		{20D9ED51-6852-44FC-A413-5EC7631139F9}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{20D9ED51-6852-44FC-A413-5EC7631139F9}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{20D9ED51-6852-44FC-A413-5EC7631139F9}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{20D9ED51-6852-44FC-A413-5EC7631139F9}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -122,6 +134,7 @@ Global
 		{D0009DBA-16E1-4E6F-AC1E-D11B16AB3C41} = {DD89D86B-68DA-4EB0-8EBC-60DE3DC2B084}
 		{C6D34567-3456-4321-9876-345678901CDE} = {DD89D86B-68DA-4EB0-8EBC-60DE3DC2B084}
 		{0149D659-78E3-476B-81F1-A80BDFA6F8A9} = {867EB36D-7893-444D-900D-29733E8E2636}
+		{20D9ED51-6852-44FC-A413-5EC7631139F9} = {DD89D86B-68DA-4EB0-8EBC-60DE3DC2B084}
 		{1EB6D64D-7AFB-41DC-B11B-58934D053684} = {9249E337-656D-4970-B45C-7A077C56FA44}
 		{1B11B367-2F76-49EE-A820-2A0A8B1721B1} = {DD89D86B-68DA-4EB0-8EBC-60DE3DC2B084}
 	EndGlobalSection
 
@@ -0,0 +1,24 @@
+// Copyright (c) One Identity LLC. All rights reserved.
+
+namespace OneIdentity.SafeguardDotNet.DeviceCodeLogin;
+
+/// <summary>
+/// Contains the device authorization response information displayed to the user.
+/// </summary>
+public class DeviceCodeInfo
+{
+    /// <summary>The URI the user must visit to authenticate (for manual code entry).</summary>
+    public string VerificationUri { get; set; }
+
+    /// <summary>The code the user must enter at the verification URI. Format: XXX-XXX-XXX.</summary>
+    public string UserCode { get; set; }
+
+    /// <summary>
+    /// Complete URI with the user code pre-filled. The user can simply click/open this
+    /// URL without manually typing the code. Always provided by Safeguard RSTS.
+    /// </summary>
+    public string VerificationUriComplete { get; set; }
+
+    /// <summary>Lifetime in seconds before the codes expire (always 300 from RSTS).</summary>
+    public int ExpiresIn { get; set; }
+}
@@ -0,0 +1,222 @@
+// Copyright (c) One Identity LLC. All rights reserved.
+
+namespace OneIdentity.SafeguardDotNet.DeviceCodeLogin;
+
+using System;
+using System.Net.Http;
+using System.Security;
+using System.Text;
+using System.Threading;
+using System.Threading.Tasks;
+
+using Newtonsoft.Json;
+using Newtonsoft.Json.Linq;
+
+using Serilog;
+
+/// <summary>
+/// Provides device code-based authentication to Safeguard using OAuth 2.0
+/// Device Authorization Grant (RFC 8628).
+/// </summary>
+public static class DeviceCodeLogin
+{
+    /// <summary>
+    /// Connect to Safeguard API using the Device Authorization Grant.
+    /// Blocks until the user completes authentication or the code expires.
+    /// </summary>
+    /// <param name="appliance">Network address of the Safeguard appliance.</param>
+    /// <param name="parameters">Device code flow parameters including the display callback.</param>
+    /// <param name="apiVersion">Target API version to use.</param>
+    /// <param name="ignoreSsl">Ignore server certificate validation (dev only).</param>
+    /// <returns>Reusable Safeguard API connection.</returns>
+    /// <exception cref="ArgumentException">Thrown when DisplayCallback is null or appliance is empty.</exception>
+    /// <exception cref="SafeguardDotNetException">Thrown when authentication fails, code expires, or API error.</exception>
+    public static ISafeguardConnection Connect(
+        string appliance,
+        DeviceCodeLoginParameters parameters,
+        int apiVersion = Safeguard.DefaultApiVersion,
+        bool ignoreSsl = false)
+    {
+        return ConnectAsync(appliance, parameters, apiVersion, ignoreSsl, CancellationToken.None)
+            .GetAwaiter().GetResult();
+    }
+
+    /// <summary>
+    /// Connect to Safeguard API using the Device Authorization Grant (async).
+    /// Returns when the user completes authentication, the code expires,
+    /// or the cancellation token is triggered.
+    /// </summary>
+    /// <param name="appliance">Network address of the Safeguard appliance.</param>
+    /// <param name="parameters">Device code flow parameters including the display callback.</param>
+    /// <param name="apiVersion">Target API version to use.</param>
+    /// <param name="ignoreSsl">Ignore server certificate validation (dev only).</param>
+    /// <param name="cancellationToken">Cancellation token to abort the flow.</param>
+    /// <returns>Reusable Safeguard API connection.</returns>
+    /// <exception cref="ArgumentException">Thrown when DisplayCallback is null or appliance is empty.</exception>
+    /// <exception cref="SafeguardDotNetException">Thrown when authentication fails, code expires, or API error.</exception>
+    /// <exception cref="OperationCanceledException">Thrown when cancellation is requested.</exception>
+    public static async Task<ISafeguardConnection> ConnectAsync(
+        string appliance,
+        DeviceCodeLoginParameters parameters,
+        int apiVersion = Safeguard.DefaultApiVersion,
+        bool ignoreSsl = false,
+        CancellationToken cancellationToken = default)
+    {
+        if (string.IsNullOrEmpty(appliance))
+        {
+            throw new ArgumentException("Appliance network address is required.", nameof(appliance));
+        }
+
+        if (parameters?.DisplayCallback == null)
+        {
+            throw new ArgumentException("DisplayCallback is required.", nameof(parameters));
+        }
+
+        var clientId = parameters.ClientId ?? "SafeguardDotNet";
+        var scope = parameters.Scope ?? "rsts:sts:primaryproviderid:local";
+
+        using var http = CreateHttpClient(ignoreSsl);
+
+        // Step 1: Request device code (CRITICAL: no trailing slash on URL)
+        Log.Debug("Requesting device authorization from {Appliance}", appliance);
+
+        var deviceAuthUrl = $"https://{appliance}/RSTS/oauth2/DeviceLogin";
+        var requestBody = JsonConvert.SerializeObject(new { client_id = clientId, scope });
+        var content = new StringContent(requestBody, Encoding.UTF8, "application/json");
+
+        HttpResponseMessage response;
+        try
+        {
+            response = await http.PostAsync(deviceAuthUrl, content, cancellationToken).ConfigureAwait(false);
+        }
+        catch (HttpRequestException ex)
+        {
+            throw new SafeguardDotNetException(
+                $"Device authorization request failed: unable to connect to {appliance} — {ex.Message}", ex);
+        }
+
+        var responseBody = await response.Content.ReadAsStringAsync().ConfigureAwait(false);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            throw new SafeguardDotNetException(
+                $"Device authorization request failed: {response.StatusCode} {responseBody}",
+                response.StatusCode,
+                responseBody);
+        }
+
+        var deviceResponse = JObject.Parse(responseBody);
+        var deviceCode = deviceResponse["device_code"]?.ToString();
+        var userCode = deviceResponse["user_code"]?.ToString();
+        var verificationUri = deviceResponse["verification_uri"]?.ToString();
+        var verificationUriComplete = deviceResponse["verification_uri_complete"]?.ToString();
+        var expiresIn = deviceResponse["expires_in"]?.Value<int>() ?? 300;
+
+        // Step 2: Display to user via callback
+        parameters.DisplayCallback(new DeviceCodeInfo
+        {
+            VerificationUri = verificationUri,
+            UserCode = userCode,
+            VerificationUriComplete = verificationUriComplete,
+            ExpiresIn = expiresIn,
+        });
+
+        // Step 3: Poll token endpoint
+        Log.Debug("Polling token endpoint for device code redemption");
+
+        var tokenUrl = $"https://{appliance}/RSTS/oauth2/token";
+        var intervalSeconds = parameters.PollingIntervalSeconds > 0 ? parameters.PollingIntervalSeconds : 5;
+        var deadline = DateTime.UtcNow.AddSeconds(expiresIn);
+        SecureString rstsAccessToken = null;
+
+        while (DateTime.UtcNow < deadline)
+        {
+            cancellationToken.ThrowIfCancellationRequested();
+
+            await Task.Delay(TimeSpan.FromSeconds(intervalSeconds), cancellationToken).ConfigureAwait(false);
+
+            var pollBody = JsonConvert.SerializeObject(new
+            {
+                grant_type = "urn:ietf:params:oauth:grant-type:device_code",
+                device_code = deviceCode,
+                client_id = clientId,
+            });
+            var pollContent = new StringContent(pollBody, Encoding.UTF8, "application/json");
+            var pollResponse = await http.PostAsync(tokenUrl, pollContent, cancellationToken).ConfigureAwait(false);
+            var pollResponseBody = await pollResponse.Content.ReadAsStringAsync().ConfigureAwait(false);
+            var pollJson = JObject.Parse(pollResponseBody);
+
+            if (pollResponse.IsSuccessStatusCode)
+            {
+                rstsAccessToken = pollJson["access_token"]?.ToString().ToSecureString();
+                break;
+            }
+
+            var error = pollJson["error"]?.ToString();
+            switch (error)
+            {
+                case "authorization_pending":
+                    continue;
+                case "slow_down":
+                    intervalSeconds += 5;
+                    continue;
+                case "access_denied":
+                    throw new SafeguardDotNetException(
+                        "Device code authentication was denied.",
+                        pollResponse.StatusCode,
+                        pollResponseBody);
+                case "expired_token":
+                    throw new SafeguardDotNetException(
+                        "Device code has expired. Please try again.",
+                        pollResponse.StatusCode,
+                        pollResponseBody);
+                default:
+                    throw new SafeguardDotNetException(
+                        $"Unexpected error during device code polling: {error}",
+                        pollResponse.StatusCode,
+                        pollResponseBody);
+            }
+        }
+
+        if (rstsAccessToken == null)
+        {
+            throw new SafeguardDotNetException("Device code expired before user authenticated.");
+        }
+
+        // Step 4: Exchange RSTS token for Safeguard UserToken
+        Log.Debug("Exchanging RSTS access token for Safeguard user token");
+
+        using (rstsAccessToken)
+        {
+            var responseObject = Safeguard.AgentBasedLoginUtils.PostLoginResponse(
+                appliance, rstsAccessToken, apiVersion);
+
+            var statusValue = responseObject.GetValue("Status")?.ToString();
+            if (string.IsNullOrEmpty(statusValue) || statusValue != "Success")
+            {
+                throw new SafeguardDotNetException($"Error exchanging RSTS token, status: {statusValue}");
+            }
+
+            // Step 5: Create connection
+            using var accessToken = responseObject.GetValue("UserToken")?.ToString().ToSecureString();
+            return Safeguard.Connect(appliance, accessToken, apiVersion, ignoreSsl);
+        }
+    }
+
+    private static HttpClient CreateHttpClient(bool ignoreSsl)
+    {
+        var handler = new HttpClientHandler()
+        {
+            SslProtocols = System.Security.Authentication.SslProtocols.Tls12,
+        };
+
+        if (ignoreSsl)
+        {
+#pragma warning disable S4830 // Intentional SSL bypass when user explicitly opts in
+            handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => true;
+#pragma warning restore S4830
+        }
+
+        return new HttpClient(handler);
+    }
+}
@@ -0,0 +1,39 @@
+// Copyright (c) One Identity LLC. All rights reserved.
+
+namespace OneIdentity.SafeguardDotNet.DeviceCodeLogin;
+
+using System;
+
+/// <summary>
+/// Parameters for the Device Code authentication flow.
+/// </summary>
+public class DeviceCodeLoginParameters
+{
+    /// <summary>
+    /// Callback invoked when the user must visit a URL and enter a code.
+    /// The calling application is responsible for displaying this information
+    /// to the user (e.g., Console.WriteLine, GUI dialog, etc.).
+    /// This callback is required; passing null will throw ArgumentException.
+    /// </summary>
+    public Action<DeviceCodeInfo> DisplayCallback { get; set; }
+
+    /// <summary>
+    /// Optional identity provider scope. Format: "rsts:sts:primaryproviderid:{provider}".
+    /// If not specified, defaults to "rsts:sts:primaryproviderid:local".
+    /// Note: RSTS accepts but does not functionally use this value for device code flow.
+    /// </summary>
+    public string Scope { get; set; }
+
+    /// <summary>
+    /// OAuth2 client identifier for the device authorization request.
+    /// Default: "SafeguardDotNet". Only change if the appliance has
+    /// RelyingPartyApplications configured with a specific client_id.
+    /// </summary>
+    public string ClientId { get; set; } = "SafeguardDotNet";
+
+    /// <summary>
+    /// Polling interval in seconds between token requests. Default: 5 (RFC 8628 default).
+    /// Will be automatically increased if the server returns "slow_down".
+    /// </summary>
+    public int PollingIntervalSeconds { get; set; } = 5;
+}