Re: [OAUTH-WG] Usage of Password Grant
Beena Santhosh <beenapurushothaman@gmail.com> Fri, 15 May 2020 16:13 UTC
Return-Path: <beenapurushothaman@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5CF33A0BB3 for <oauth@ietfa.amsl.com>; Fri, 15 May 2020 09:13:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fkqWG2O2UTzz for <oauth@ietfa.amsl.com>; Fri, 15 May 2020 09:13:37 -0700 (PDT)
Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D09F03A0C00 for <oauth@ietf.org>; Fri, 15 May 2020 09:13:36 -0700 (PDT)
Received: by mail-qt1-x82a.google.com with SMTP id i68so2398634qtb.5 for <oauth@ietf.org>; Fri, 15 May 2020 09:13:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=/FP3JABfq287i6rqFVlg+7XoKSkLb/pO/crYGT5rogc=; b=Upq8yQYbuy/uriVGl6sFhff9rGDmyiDZWeCXjGHM1kgFTwAHV6azvYGiqYBu4GsCPk M6ACgybhy6LKCAv9gcX+mo77ZUyFP0MGSv01UkxCDA/NgVf0WbQfn4BZoVcLUw3k0jqj j5Lh+c029rcZ+cHO7fCdnKz4sl64/LuPj1clBqtIStWgzPH+RA2f0wOOLFrVPKcxfCCZ B3QQmvO4FAVnbch3XtXDK5kD25jG1DdLdy80xxJlSAxYjL7JLAyl85KRxilZVp8pOLmM MpQVJE5Bd9LJOZB1sC7bTz5vPQEkR3iWurIT1Ss8nyvPgoRt8P/ThtQRwo88TcY5vOXi wrrA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=/FP3JABfq287i6rqFVlg+7XoKSkLb/pO/crYGT5rogc=; b=XVw8Q7qCp/qzqlsOVKBHgcau+cwu9Fn3qF5pH0WYiaJf5XrCl4iDZYme0/6ZEcQxgG Pt03gL48SdF9OsR1UpNDyIiewMaVqXE1F47cKm9GC2EclTRsKRAU1xrCMW0RJANde8S5 5hKBHMLPgAHQQjBY4YORQqQK5ZghAtcdRaYlmnKaiZFfUD3NQco60YSGAqrLHnArBsrf pvqaurGdIpwYRGaHOKPpHm8rFaiNE6iAw1h8fdarceBM5zyqAdbKM2UpwEzeU1lfDWb5 kUlazKt/WTIeGD55pG+ZrGHuSMlFBKMu1pAXfy/xRumJksR5akYABikE01ErwpSz/GCr nvzw==
X-Gm-Message-State: AOAM531DmckViHXGUH6urROjiGE8vg04KD1EraWTjJa3ZJC/2gb5/wS2 iAP7W0K8Wa1bWx+otNUrqp81C8apgC4LupnareU=
X-Google-Smtp-Source: ABdhPJzu/Mhkb0+MQk+yy6g8Z9ClKSS7qEde/6OWdj6nn1XmKcr67P+BnEhjkHd9XjAq9KIgnBNRRKnPQ/WtILYx+jY=
X-Received: by 2002:ac8:39a4:: with SMTP id v33mr4404087qte.251.1589559215811; Fri, 15 May 2020 09:13:35 -0700 (PDT)
MIME-Version: 1.0
References: <CAB=KHVUNv9op+kniNuaUJyPKhWQLSYjOfFb+g=4Tg1n4t08ixw@mail.gmail.com> <CAGBSGjqAJ9X7CU_csBJ-eHQQJKCLa4JuR-eqK=2qFURfdLT36g@mail.gmail.com> <CAB=KHVUePF_yqUP_nFcb3cozyxAGBcxUAeFFjPuq7CF=26QgLg@mail.gmail.com> <CAGBSGjpZp4W9WTvJHGN_Mc5ti2rZqTdfnogp3G0BAEqhDFV1rQ@mail.gmail.com> <CAB=KHVVpGM4Comjh_=beuPbaUBZar2vJ9Ap8j27Cy6LnLdzh-w@mail.gmail.com>
In-Reply-To: <CAB=KHVVpGM4Comjh_=beuPbaUBZar2vJ9Ap8j27Cy6LnLdzh-w@mail.gmail.com>
From: Beena Santhosh <beenapurushothaman@gmail.com>
Date: Fri, 15 May 2020 21:43:24 +0530
Message-ID: <CAB=KHVXy790gyhvP-WfXvHMbAVMbJxvRvPUdw-c7o8027mpk+g@mail.gmail.com>
To: Aaron Parecki <aaron@parecki.com>, oauth@ietf.org
Content-Type: multipart/alternative; boundary="00000000000068754405a5b218d1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/b595X_S_cIzQLk128zVRZuBZpnU>
Subject: Re: [OAUTH-WG] Usage of Password Grant
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 May 2020 16:13:39 -0000
Hi Aaron, I had a re-look at this and the difference I still see is that I am able to use a common client_id with Password Grant, which does not seem possible using Credentials Grant. Without Password grant I don't see a way to achieve this. Thank You, Beena On Tue, May 12, 2020 at 12:40 PM Beena Santhosh < beenapurushothaman@gmail.com> wrote: > Hi Aaron, > > > What we are planning to build is a Public first party client. As per the > spec the client secret is optional for Password Grant. Hence we choose to > use a common client_id across all the devices. The first party client on > every device will get the common client_id through our proprietary API. > We found this as a difference between Password Grant and Client credentials > grant. We could be wrong but this is our interpretation. This way we could > make use of the rest of the benefits that OAuth provides around access > tokens > > > Thank You, > > Beena > > On Mon, May 11, 2020 at 11:15 PM Aaron Parecki <aaron@parecki.com> wrote: > >> With the password grant you'd then need to register 50,000+ user >> accounts, right? How is that different from registering that many clients? >> >> On Mon, May 11, 2020 at 10:39 AM Beena Santhosh < >> beenapurushothaman@gmail.com> wrote: >> >>> Hi Aaron, >>> >>> Thank You for the quick response. >>> >>> We do support 1, 50, 000+ devices and that means we need to register >>> those many devices dynamically, the provider we have evaluated is not >>> supporting that scale . Once we incorporate IoT, we need to support >>> millions of devices. With Password Grant as we need only one client_id it >>> is easy to manage. Also our client is First Party client. >>> >>> >>> Thank You, >>> >>> Beena >>> >>> On Sun, May 10, 2020 at 7:50 PM Aaron Parecki <aaron@parecki.com> wrote: >>> >>>> Hi Beena, >>>> >>>> This sounds like a great use of the client credentials grant. The >>>> password grant is being removed from OAuth 2.0 by the Security Best Current >>>> Practice. Can you clarify what you've found useful about the password grant >>>> that the client credentials grant doesn't solve? >>>> >>>> Aaron Parecki >>>> >>>> >>>> On Sun, May 10, 2020 at 3:18 AM Beena Santhosh < >>>> beenapurushothaman@gmail.com> wrote: >>>> >>>>> Hi, >>>>> >>>>> >>>>> We have a product with client server architecture where our server >>>>> manages thousands of devices. Each device has a client-piece that talks to >>>>> the server over SOAP/REST. The client currently uses a HTTP Basic >>>>> Authentication (unique id and a secret string) for all the calls. The >>>>> secret string is created when the device enrolls to the server. It is >>>>> available at the server as well as stored securely on the device. For the >>>>> rest calls it is the device that is getting authenticated. >>>>> >>>>> >>>>> >>>>> Sending the credentials every time is less than ideal and we want to >>>>> move to some tokenized device authentication. We evaluated OpendID Connect >>>>> based on the general recommendation of SSO solution, but the issue is we do >>>>> not have any user interaction and hence there is no Grant flow that is >>>>> fitting. Hence we evaluated OAuth grant type of which we found Password >>>>> Grant and Client Credentials Grant is matching our requirement. >>>>> >>>>> >>>>> >>>>> In order to use Client Credentials in our use case, we need to do >>>>> dynamic registration for the thousands of devices managed by the server, if >>>>> IoT comes into picture the number is going to be even higher, which is >>>>> highly cumbersome to manage. Also, as per RFC7591 on dynamic client >>>>> registration, using access token for registering client is optional too. >>>>> Even though the Password grant is highly discouraged by the spec, we found >>>>> it to be highly matching with our requirements. >>>>> >>>>> >>>>> >>>>> But as per the Oauth 2.1 proposal, password grant is going to be >>>>> removed. Can you suggest the way forward for us? I believe we are not >>>>> a one-off case. >>>>> >>>>> >>>>> Thank You, >>>>> >>>>> Beena >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>>
- [OAUTH-WG] Usage of Password Grant Beena Santhosh
- Re: [OAUTH-WG] Usage of Password Grant Aaron Parecki
- Re: [OAUTH-WG] Usage of Password Grant Beena Santhosh
- Re: [OAUTH-WG] Usage of Password Grant Evert Pot
- Re: [OAUTH-WG] Usage of Password Grant Beena Santhosh
- Re: [OAUTH-WG] Usage of Password Grant Mohamed Seada