Add "Device Code" as a supported OAuth Flow

[LikeLakers2]

Hi! I'm not in the business of making APIs myself, so I don't know how helpful I can be. However, I found that RFC8628 offers a "Device Code" type of OAuth, which I thought might be useful if it were supported by default by OpenAPI. The flow is described at https://oauth.net/2/grant-types/device-code/ as follows:

The Device Code grant type is used by browserless or input-constrained devices in the device flow to exchange a previously obtained device code for an access token.

Looking at the RFC myself, it seems like this type of OAuth Flow would need the a device authorization URL (different from a regular authorizationUrl in that this is called by the application, not the user -- the RFC has more info under section 3.1), a tokenUrl, and potentially a refreshUrl. Given how this endpoint works, it may also benefit from a optional deviceCodeFormat field, specifying what characters are allowed, how the code can be formatted (uppercase? lowercase? case-insensitive? etc.) and so on. (Turns out I was misreading the RFC -- the authorization server generates the device code, not the client)

Hopefully this isn't too far-fetched of a suggestion! :)

[philsturgeon]

@LikeLakers2 could you have a go at making a PR for this?

[LikeLakers2]

@philsturgeon Although I've never written anything of a specification before (aside from some notes in Notepad), I think I could give it a shot. It doesn't sound too hard, considering what little I think I'd have to add. Also it's good experience for writing a specification. :)

[CameronGo]

Is there any information available on when this will be formally supported in the OpenAPI spec?

[LasneF]

@handrews looks it has been merged, it should be good ? or does the ticket kept open till version 3.2 is released ?

[handrews]

@LasneF we can close it - I don't always remember to check if the PR merging automatically closed the issue, thanks for noticing!