Re: [OAUTH-WG] Subject: Re: Usage of Password Grant
Aaron Parecki <aaron@parecki.com> Tue, 12 May 2020 03:17 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3B693A0973 for <oauth@ietfa.amsl.com>; Mon, 11 May 2020 20:17:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t2Kks8sYD5yB for <oauth@ietfa.amsl.com>; Mon, 11 May 2020 20:17:20 -0700 (PDT)
Received: from mail-il1-x136.google.com (mail-il1-x136.google.com [IPv6:2607:f8b0:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D6C33A0966 for <oauth@ietf.org>; Mon, 11 May 2020 20:17:20 -0700 (PDT)
Received: by mail-il1-x136.google.com with SMTP id t12so10803786ile.9 for <oauth@ietf.org>; Mon, 11 May 2020 20:17:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Pp/CDOwXN1fYCs+l7mbvxWj4vnY5fw6m2U/7/80ZsSk=; b=cxqenVFaUVrrTcepTaAgWmege8q0+vnqpDOYWFtKnAl4JBlfJmF6zVFXJ65UdHB8uL /2fxS7pH8Qnmw2geXpw0qgh8/b4DYcXFkgfOqVlWuz3+jzSe2Zz7oZAEDX3HvCu2E2w/ WBh/sHZ004g1gAXoMjkcdq8ws33qa8wN3S5zbxK3M7vqrdt5xS7C1GOQAceX5kGq46Wf wr8ZrNDByE6qIjDUa6tovVNtCzbtJrRHebrHSI2jbEn8gTw1KYEzKOsf4v+o/DP/zNaN /6FoIGFhbC5J4V76ppHmt19LMsG+BUykf3I/Xx+hDkDTzBZ0fYs5ZTGjASZTXDtaxbrc IW+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Pp/CDOwXN1fYCs+l7mbvxWj4vnY5fw6m2U/7/80ZsSk=; b=dAEYoButf/d12LwQA6rwGFYLvlC1MLAIKjgFngDG5fyWC3NSEw06Vhz90K3MWawv3R 7npLJJuhmZNmcjpeh2jemOgFfT8XdPK+nexBgOHWsiIjO2k7V2zU8zI0o96N3hk6twfn eRR2HcqAeFTF5kkcuPi+slCjBjc19euI92+oI+ujGXC/RQqQWOk9G0jCaTmgfQu28hCn F4MaEswZR3cBea91pJi8G5XlulKeFgtEOnVMneD3INWkKqtqooUAixHJO9M7A4I/AeVU If/e/Mm/6GpnaR1DVKy51XTQhuYGoJ0qOLm/8uVWKHdme0K6lRwqmaOgOB0nQd1YEi49 Sdog==
X-Gm-Message-State: AGi0PubqRhF6zTAQAYY+lutLnvkMYDHse85zXRwfxH3nVZXVey1ResQN OkQxfa6ligTxGVXn7A5GnypoAHf9c8qbEg==
X-Google-Smtp-Source: APiQypLqIKKMfbOzB3+GmUkrPzYv4CQ86Sbuh/ycy6/nXTV7eniOr5zPy1yvcgFZrA8p5I+yBplllA==
X-Received: by 2002:a05:6e02:66c:: with SMTP id l12mr8844983ilt.289.1589253438802; Mon, 11 May 2020 20:17:18 -0700 (PDT)
Received: from mail-io1-f41.google.com (mail-io1-f41.google.com. [209.85.166.41]) by smtp.gmail.com with ESMTPSA id p10sm5917189ilp.29.2020.05.11.20.17.17 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 11 May 2020 20:17:17 -0700 (PDT)
Received: by mail-io1-f41.google.com with SMTP id u11so12314278iow.4 for <oauth@ietf.org>; Mon, 11 May 2020 20:17:17 -0700 (PDT)
X-Received: by 2002:a05:6638:277:: with SMTP id x23mr1166662jaq.122.1589253437328; Mon, 11 May 2020 20:17:17 -0700 (PDT)
MIME-Version: 1.0
References: <mailman.63.1589137240.21551.oauth@ietf.org> <CAOW4vyMfPmVyAMmfb0YuKEvZB+NaMowQmeq0oAv_Q_5KynNrNw@mail.gmail.com>
In-Reply-To: <CAOW4vyMfPmVyAMmfb0YuKEvZB+NaMowQmeq0oAv_Q_5KynNrNw@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Mon, 11 May 2020 20:17:06 -0700
X-Gmail-Original-Message-ID: <CAGBSGjox_ytHvvAi=aWY_oVh=t5qtfZPRDXpMv6HdrBVvTfc6A@mail.gmail.com>
Message-ID: <CAGBSGjox_ytHvvAi=aWY_oVh=t5qtfZPRDXpMv6HdrBVvTfc6A@mail.gmail.com>
To: Francis Pouatcha <fpo=40adorsys.de@dmarc.ietf.org>
Cc: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000097109105a56ae61c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/MnZZKULP-U4PtINv7NedvGFa5m0>
Subject: Re: [OAUTH-WG] Subject: Re: Usage of Password Grant
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2020 03:17:23 -0000
> In the password grant flow, the device holds the password and is not
involved in any interaction with the AS. This keeps the device use case
simple.
I'm not sure what you mean by this. If you're suggesting that the client
never interacts with the AS and sends the password directly to the resource
server, that's never been part of OAuth. That's specifically the situation
OAuth was created to avoid.
The password grant gave the client a way to exchange the password for an
access token by sending it first to the AS. As such, the difference between
the password grant and the client credentials grant is the presence of two
additional parameters in the request to the AS:
POST /token
grant_type=client_credentials
&client_id=X
&client_secret=Y
vs
POST /token
grant_type=password
&client_id=X
&client_secret=Y
&username=Z
&password=Q
The response of both of these is an access token, which the client then
sends to the resource server.
> In order to use Client Credentials in our use case, we need to do dynamic
> registration for the thousands of devices managed by the server
Regardless of which of these two methods you use, the client's credentials
(either client ID/secret or username/password) needs to be enrolled at the
AS in order to get an access token. That's why I'm saying there isn't a
functional difference and trying to clarify why you think the password
grant is a better fit for your situation. In reality for your use case it
seems it is only adding complexity to the situation compared to just using
a client ID and secret.
Aaron Parecki
On Mon, May 11, 2020 at 7:11 PM Francis Pouatcha <fpo=
40adorsys.de@dmarc.ietf.org> wrote:
> Hi Aaron,
>
>>
>>
>> Hi Beena,
>>
>> This sounds like a great use of the client credentials grant. The password
>> grant is being removed from OAuth 2.0 by the Security Best Current
>> Practice. Can you clarify what you've found useful about the password
>> grant
>> that the client credentials grant doesn't solve?
>>
> Beena could use the Dynamic Client Registration to have all those devices
> registered as oAuth Clients. But this seems to be inconvenient as he
> describes.
>
> In the password grant flow, the device holds the password and is not
> involved in any interaction with the AS. This keeps the device use case
> simple.
>
>
>>
>> Aaron Parecki
>>
>>
>> On Sun, May 10, 2020 at 3:18 AM Beena Santhosh <
>> beenapurushothaman@gmail.com>
>> wrote:
>>
>> > Hi,
>> >
>> >
>> > We have a product with client server architecture where our server
>> manages
>> > thousands of devices. Each device has a client-piece that talks to the
>> > server over SOAP/REST. The client currently uses a HTTP Basic
>> > Authentication (unique id and a secret string) for all the calls. The
>> > secret string is created when the device enrolls to the server. It is
>> > available at the server as well as stored securely on the device. For
>> the
>> > rest calls it is the device that is getting authenticated.
>> >
>> >
>> >
>> > Sending the credentials every time is less than ideal and we want to
>> move
>> > to some tokenized device authentication. We evaluated OpendID Connect
>> based
>> > on the general recommendation of SSO solution, but the issue is we do
>> not
>> > have any user interaction and hence there is no Grant flow that is
>> fitting.
>> > Hence we evaluated OAuth grant type of which we found Password Grant and
>> > Client Credentials Grant is matching our requirement.
>> >
>> >
>> >
>> > In order to use Client Credentials in our use case, we need to do
>> dynamic
>> > registration for the thousands of devices managed by the server, if IoT
>> > comes into picture the number is going to be even higher, which is
>> highly
>> > cumbersome to manage. Also, as per RFC7591 on dynamic client
>> > registration, using access token for registering client is optional too.
>> > Even though the Password grant is highly discouraged by the spec, we
>> found
>> > it to be highly matching with our requirements.
>> >
>> >
>> >
>> > But as per the Oauth 2.1 proposal, password grant is going to be
>> removed. Can
>> > you suggest the way forward for us? I believe we are not a one-off case.
>> >
>> >
>> > Thank You,
>> >
>> > Beena
>> > _______________________________________________
>> > OAuth mailing list
>> > OAuth@ietf.org
>> > https://www.ietf.org/mailman/listinfo/oauth
>> >
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <
>> https://mailarchive.ietf.org/arch/browse/oauth/attachments/20200510/8873117a/attachment.html
>> >
>>
>> ------------------------------
>>
>> Subject: Digest Footer
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>> ------------------------------
>>
>> End of OAuth Digest, Vol 139, Issue 45
>> **************************************
>>
>
>
> --
> Francis Pouatcha
> Co-Founder and Technical Lead at adorys
> https://adorsys-platform.de/solutions/
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
- [OAUTH-WG] Subject: Re: Usage of Password Grant Francis Pouatcha
- Re: [OAUTH-WG] Subject: Re: Usage of Password Gra… Aaron Parecki