OAuth Device Code Flow Security: How to Detect and Prevent Device Code Phishing
đ OAuth Device Code Phishing: MFA doesn't stop it. Attackers abuse RFC 8628 (Device Authorization Grant) to steal M365 refresh tokens â the user completes MFA against a REAL Microsoft page, but unknowingly authorizes the attacker's session. đĄď¸ How to block it: ⢠Entra ID: Conditional Access â block "device code flow" auth method ⢠Keycloak: Realm Settings â disable device authorization grant endpoint ⢠Auth0: Application â Advanced Settings â uncheck "Device Code" grant type đ SIEM detection (Sentinel KQL included) for orgs that can't disable it immediately. Full guide â https://iamdevbox.com/posts/oauth-device-code-flow-security-prevent-device-code-phishing/ #OAuth #Security #MFA #EntraID #Keycloak #DevSecOps #IAM #RFC8628 #Phishing #ZeroTrust Read more: OAuth Device Code Flow Security: How to Detect and Prevent Device Code Phishing











