IETF Logo Mail Archive

Re: [OAUTH-WG] Direct Grant missing in draft-parecki-oauth-v2-1

Justin Richer <jricher@mit.edu> Thu, 09 April 2020 11:30 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 490513A08BA for <oauth@ietfa.amsl.com>; Thu, 9 Apr 2020 04:30:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id du0bHUPd1vVc for <oauth@ietfa.amsl.com>; Thu, 9 Apr 2020 04:30:38 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F02AB3A08C6 for <oauth@ietf.org>; Thu, 9 Apr 2020 04:30:36 -0700 (PDT)
Received: from [192.168.1.13] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 039BUWCB002822 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 9 Apr 2020 07:30:32 -0400
From: Justin Richer <jricher@mit.edu>
Message-Id: <0EC51F1E-689E-475D-8F3C-B17A6C5B794C@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7DDA9C2D-5169-495C-912F-3D382C8E4DD4"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Thu, 09 Apr 2020 07:30:32 -0400
In-Reply-To: <36be532a-dca5-da55-ffdc-a283724df824@danielfett.de>
Cc: Rob Otto <robotto@pingidentity.com>, oauth <oauth@ietf.org>
To: Daniel Fett <fett@danielfett.de>
References: <CAOW4vyPN7iCt9FdGDhzFWsPB=PVcRaLqgTHtAFA07D-E6SuzzQ@mail.gmail.com> <07ef79c7-9ae7-98ee-d3d2-b4e7fa68644c@danielfett.de> <CABh6VRGvkyWD1-ffRqJHVRp3wkaZ2bB3PRfb3wj-cE7N0OcQCA@mail.gmail.com> <36be532a-dca5-da55-ffdc-a283724df824@danielfett.de>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/lZpdkDYdGwTnT3z28oUCOvnoV9g>
Subject: Re: [OAUTH-WG] Direct Grant missing in draft-parecki-oauth-v2-1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Apr 2020 11:30:46 -0000

We’ve looked at this with XYZ, and one of the patterns that’s possible with the backchannel-first flow is to have the server send a challenge back to the client which the client can then respond to, for example by signing it with a FIDO style device key. Depending on the system, the client could identify the user in the first request or the credential could carry the identification directly. You need an “extra” round trip compared to OAuth2 style flows, but it makes life a whole lot simpler for this kind of user authn.

 — Justin

> On Apr 9, 2020, at 4:09 AM, Daniel Fett <fett@danielfett.de> wrote:
> 
> 
> Am 09.04.20 um 09:55 schrieb Rob Otto:
>> I'd imagine you have to pre-register each client and then use HOTP or TOTP to generate one-time passcodes. 
>> 
> 
> I can come up with a couple of other ways as well, but I'm interested to hear what Francis sees "in the wild".
> 
> -Daniel
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email