diff --git a/example/server/exampleop/op.go b/example/server/exampleop/op.go
index 5604483..6619b6e 100644
--- a/example/server/exampleop/op.go
+++ b/example/server/exampleop/op.go
@@ -107,7 +107,7 @@ func newOP(storage op.Storage, issuer string, key [32]byte) (op.OpenIDProvider,
 		DeviceAuthorization: op.DeviceAuthorizationConfig{
 			Lifetime:     5 * time.Minute,
 			PollInterval: 5 * time.Second,
-			UserFormURL:  issuer + "device",
+			UserFormURL:  "/device",
 			UserCode:     op.UserCodeBase20,
 		},
 	}
diff --git a/pkg/op/device.go b/pkg/op/device.go
index 04c06f2..5526f48 100644
--- a/pkg/op/device.go
+++ b/pkg/op/device.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"math/big"
 	"net/http"
+	"net/url"
 	"strings"
 	"time"
 
@@ -18,8 +19,11 @@ import (
 type DeviceAuthorizationConfig struct {
 	Lifetime     time.Duration
 	PollInterval time.Duration
-	UserFormURL  string // the URL where the user must go to authorize the device
-	UserCode     UserCodeConfig
+
+	// Path on the current host, where the user must go to authorize the device.
+	// Hostname will the current issuer from the context.
+	UserFormURL string
+	UserCode    UserCodeConfig
 }
 
 type UserCodeConfig struct {
@@ -82,15 +86,22 @@ func DeviceAuthorization(w http.ResponseWriter, r *http.Request, o OpenIDProvide
 		return err
 	}
 
+	verification, err := url.Parse(IssuerFromContext(r.Context()))
+	if err != nil {
+		return oidc.ErrServerError().WithParent(err).WithDescription("invalid URL for issuer")
+	}
+	verification.Path = config.UserFormURL
+
 	response := &oidc.DeviceAuthorizationResponse{
 		DeviceCode:      deviceCode,
 		UserCode:        userCode,
-		VerificationURI: config.UserFormURL,
+		VerificationURI: verification.String(),
 		ExpiresIn:       int(config.Lifetime / time.Second),
 		Interval:        int(config.PollInterval / time.Second),
 	}
 
-	response.VerificationURIComplete = fmt.Sprintf("%s?user_code=%s", config.UserFormURL, userCode)
+	verification.RawQuery = "user_code=" + userCode
+	response.VerificationURIComplete = verification.String()
 
 	httphelper.MarshalJSON(w, response)
 	return nil
diff --git a/pkg/op/device_test.go b/pkg/op/device_test.go
index 69ba102..66f9253 100644
--- a/pkg/op/device_test.go
+++ b/pkg/op/device_test.go
@@ -30,6 +30,7 @@ func Test_deviceAuthorizationHandler(t *testing.T) {
 
 	r := httptest.NewRequest(http.MethodPost, "/", body)
 	r.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	r = r.WithContext(op.ContextWithIssuer(r.Context(), testIssuer))
 
 	w := httptest.NewRecorder()
 
diff --git a/pkg/op/op_test.go b/pkg/op/op_test.go
index ba3570b..0cd5a87 100644
--- a/pkg/op/op_test.go
+++ b/pkg/op/op_test.go
@@ -40,7 +40,7 @@ func init() {
 		DeviceAuthorization: op.DeviceAuthorizationConfig{
 			Lifetime:     5 * time.Minute,
 			PollInterval: 5 * time.Second,
-			UserFormURL:  testIssuer + "device",
+			UserFormURL:  "/device",
 			UserCode:     op.UserCodeBase20,
 		},
 	}