[kibwen]

> This can be avoided by having the process listen on localhost, and then have the login flow redirect to localhost (including the token) on successful completion.

I'm confused, isn't having the device listen on localhost necessary for the device authorization grant flow? What's the alternative (that, apparently, people are doing but shouldn't be)?

[bobbylarrybobby]

My impression was that the device was repeatedly fetching site.com/auth/userid/session_id and waiting for a response with a token in it.

[quickthrower2]

Yes, the RFC is quite readable and this is mentioned in the intro.

https://www.rfc-editor.org/rfc/rfc8628

[mjg59]

This is correct.