[OAUTH-WG] Using OAuth for password reset

[Jaap Francke <jaap.francke@iwelcome.com>]

Hi all,

I was wondering if anyone considered using OAuth for password resets. Or maybe this is common practice, I don’t know.

My line of thinking is that a password is "just-another-resource" that is stored at a resource server.
So the resource server requires an access token for anyone/any client that wants to update/change the password.
The authorisation server that issues access-tokens somehow needs to authenticate the client that wants an access token for changing a certain password.

Authentication is half in-scope and half out-of-scope of OAuth specifications.
In the Authorisation Code grant (AC), it is left out-of-scope how the AS authenticates the RO, but it does state it should happen through the user-agent during the execution of the grant.
In the ResourceOwner password credential (ROPC) grant, the username/password is sent to the AS as part of the authorisation request / redirect.

For a password reset scenario, I would say we need a new grant which would be inbetween AC-grant and ROPC-grant:
- it starts with a redirect to the AS including a “password reset token” - somewhat similar to the ROPC-grant: the password reset-token can be viewed as combination of username and a (one-time) password. This is basically clicking on a password reset link
- subsequently the AS could perform additional authentication steps (e.g. 2FA-SMS) - similar to what is possible with the AC-grant
- when AS thinks the user is sufficiently authenticated, the AS could issue the authorisation code and things would proceed as with the AC-grant

Obviously this is preceeded by a request for a password-reset link, which gets sent to the legitimate resource owner Out-Of-Bound via email, SMS, or whatsoever.

Am I making things too complicated here? Or would this be the proper way to do it? I’m trying to hook-up to the most secure OAuth mechanisms.
Any thoughts?

Jaap Francke