[OAUTH-WG] Subject: Re: Usage of Password Grant
Francis Pouatcha <fpo@adorsys.de> Tue, 12 May 2020 02:11 UTC
Return-Path: <fpo@adorsys.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 788D03A0044 for <oauth@ietfa.amsl.com>; Mon, 11 May 2020 19:11:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adorsys.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IuW4hrVfoia0 for <oauth@ietfa.amsl.com>; Mon, 11 May 2020 19:11:14 -0700 (PDT)
Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48BC23A003D for <oauth@ietf.org>; Mon, 11 May 2020 19:11:14 -0700 (PDT)
Received: by mail-wr1-x431.google.com with SMTP id h17so4490368wrc.8 for <oauth@ietf.org>; Mon, 11 May 2020 19:11:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adorsys.de; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=GVYaP2rSCODeASCndPQqHayDGjfkjhtCL6BZ6COBuWA=; b=Rdyyuj7hwu+BuC2gMfdKZN7wrJtF0jrMZMLPppBpCmFoc14HAL+SFfNF7pyjgmK+DG 8HgBHc/w/VfGu9Bf1JJ+V72neVMVNCc4ytemMGZJbBFYmL/a8DKEtFRzZqONy/ZOsEw9 ejpkzYkqRqplYtUZHN6CgDBcAbABgsVHqwzOo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=GVYaP2rSCODeASCndPQqHayDGjfkjhtCL6BZ6COBuWA=; b=qoAQctPuBpYeZ1xOaIvdVqLSGK4RgxKXrjkfGgNxzWyiax5HtIpJcntYdUcURxfEBd plT8mqxLLV1ig+z5HsgvRa8Zwjdoj6NjhEdBm+NXqNGltrRSkQqNrl64didO6sCDvr1p 1BZCsqeiXhDsowiaicsQKQ1XsQswzY/QJolbez8FIIXZEhznYy3wSGh5SFJy0pDiUpfR jw3QBwS908nf5BIZpHYharSBhdZm42exJ/OI+IPKPBtyTSrtnpFPEnubJoJ52GO8BhBY Qci1nRnRqNvdVvrRdcMmMxzssXPDf8zIHmTEpXOfDGBl7krbJmRZW9Yq8cRnZo1YBENM aNaw==
X-Gm-Message-State: AGi0PuanK+wwcOrw82R0QZfy2AI2emHa6Rcz3CyIhLEL5sXkbtnZM3YD whycgRw2Y2msFB9aizXEHGg8lUVxCAPHXqukIs2i3d/AUETCuQ==
X-Google-Smtp-Source: APiQypL6j60zeiuSD3JBMSeiZrRLauK+dDXfP0V6E4mMnB9rn/shE98p30B3QqyYH0tZeSOzy9zXeLonn2cEM4ctDN8=
X-Received: by 2002:a5d:684f:: with SMTP id o15mr21480316wrw.89.1589249472309; Mon, 11 May 2020 19:11:12 -0700 (PDT)
MIME-Version: 1.0
References: <mailman.63.1589137240.21551.oauth@ietf.org>
In-Reply-To: <mailman.63.1589137240.21551.oauth@ietf.org>
From: Francis Pouatcha <fpo@adorsys.de>
Date: Mon, 11 May 2020 22:11:01 -0400
Message-ID: <CAOW4vyMfPmVyAMmfb0YuKEvZB+NaMowQmeq0oAv_Q_5KynNrNw@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000041c27e05a569faaf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/0YV1EYuB2XW8WEczRbOpi09d0EQ>
Subject: [OAUTH-WG] Subject: Re: Usage of Password Grant
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2020 02:11:16 -0000
Hi Aaron, > > > Hi Beena, > > This sounds like a great use of the client credentials grant. The password > grant is being removed from OAuth 2.0 by the Security Best Current > Practice. Can you clarify what you've found useful about the password grant > that the client credentials grant doesn't solve? > Beena could use the Dynamic Client Registration to have all those devices registered as oAuth Clients. But this seems to be inconvenient as he describes. In the password grant flow, the device holds the password and is not involved in any interaction with the AS. This keeps the device use case simple. > > Aaron Parecki > > > On Sun, May 10, 2020 at 3:18 AM Beena Santhosh < > beenapurushothaman@gmail.com> > wrote: > > > Hi, > > > > > > We have a product with client server architecture where our server > manages > > thousands of devices. Each device has a client-piece that talks to the > > server over SOAP/REST. The client currently uses a HTTP Basic > > Authentication (unique id and a secret string) for all the calls. The > > secret string is created when the device enrolls to the server. It is > > available at the server as well as stored securely on the device. For the > > rest calls it is the device that is getting authenticated. > > > > > > > > Sending the credentials every time is less than ideal and we want to > move > > to some tokenized device authentication. We evaluated OpendID Connect > based > > on the general recommendation of SSO solution, but the issue is we do not > > have any user interaction and hence there is no Grant flow that is > fitting. > > Hence we evaluated OAuth grant type of which we found Password Grant and > > Client Credentials Grant is matching our requirement. > > > > > > > > In order to use Client Credentials in our use case, we need to do > dynamic > > registration for the thousands of devices managed by the server, if IoT > > comes into picture the number is going to be even higher, which is highly > > cumbersome to manage. Also, as per RFC7591 on dynamic client > > registration, using access token for registering client is optional too. > > Even though the Password grant is highly discouraged by the spec, we > found > > it to be highly matching with our requirements. > > > > > > > > But as per the Oauth 2.1 proposal, password grant is going to be > removed. Can > > you suggest the way forward for us? I believe we are not a one-off case. > > > > > > Thank You, > > > > Beena > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://mailarchive.ietf.org/arch/browse/oauth/attachments/20200510/8873117a/attachment.html > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > ------------------------------ > > End of OAuth Digest, Vol 139, Issue 45 > ************************************** > -- Francis Pouatcha Co-Founder and Technical Lead at adorys https://adorsys-platform.de/solutions/
- [OAUTH-WG] Subject: Re: Usage of Password Grant Francis Pouatcha
- Re: [OAUTH-WG] Subject: Re: Usage of Password Gra… Aaron Parecki