[OAUTH-WG] Usage of Password Grant

Beena Santhosh <beenapurushothaman@gmail.com> Sun, 10 May 2020 10:03 UTC

Return-Path: <beenapurushothaman@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id ADEF73A0860 for <oauth@ietfa.amsl.com>; Sun, 10 May 2020 03:03:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id plkTc-FPkqzV for <oauth@ietfa.amsl.com>; Sun, 10 May 2020 03:03:33 -0700 (PDT)
Received: from mail-qv1-xf31.google.com (mail-qv1-xf31.google.com [IPv6:2607:f8b0:4864:20::f31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B4393A085D for <oauth@ietf.org>; Sun, 10 May 2020 03:03:32 -0700 (PDT)
Received: by mail-qv1-xf31.google.com with SMTP id 59so3124427qva.13 for <oauth@ietf.org>; Sun, 10 May 2020 03:03:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=cnq0h3GoA/3OFlTVMNdHUEmCSNoV/56RRTz1H+qLtBM=; b=ml4opn2L+qML7IfVVre2ihxaR5/nbSXiczzouZc/NWSGmAARg0Es6NGngC5XK6cZH8 AoT8sZCYLlE4+fUasO6fTc0sd2EV8z27rr3JgpcEwWhCM5Dg6TB2jChs3Y6Rv0SVQB9j BBrmbbgOENDsAJqncwfckp0El5R9mcqkEWQICalL4ZmhjDxsb0Oc/0BeYZM62jN/x1mc dVnljKtwGNpDInMDe6jdNUOQelePuxywYykF2AI6mld2TbWe2ulytjaGHX3q/KMstrDD ZPupyPBKzpSFWHjVCxzkmIi4b09D5vtu/6Y1+x44u9gg4xmpDG/StGeox5O2PPhNDGPl Ra8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=cnq0h3GoA/3OFlTVMNdHUEmCSNoV/56RRTz1H+qLtBM=; b=NlFa4h8VzAlHgAhOLA5qpMwDr3NXKlmr9nx+90E9oQNeJsaYi+orK2cp2qco5QWNKx mI0Cs8WncHm29H2b+jAn9uZ+L02osS4UeFwuZvTL00IPEEDxh5kG6iidB5Pn9hR6+w0w hk5d6A8v76QQE5kAWj82ukXw0L/EorwopTp/ZXqmr3TVOyug9tWRPh7Ci5PFs0MEoJoi ZyNc595Sw0rkDtrVXRMrN9UxtqgJ4Cxg1hucTuIK2I3eFVYlCD4l1FRVYz6+/fORjyPB 0HYxpXYg9Yucf5uyyS3KakrQNQzr6jpcGkZPuzqrmt4+6/XsNvo5HrWfa9Lgw8zXUTHZ X9pA==
X-Gm-Message-State: AGi0Pua/qn71g5N0KysW9xMPnAWw9nDWy1jzjDymeiaWUnXn2vM5HZI9 4JwSFaVvMwCOFpOKR919UwIKiVvt+fjj/KQVk7Zr8IrZLUY=
X-Google-Smtp-Source: APiQypJ6IZiuuNp8c5y2ytOdNyeh6Nh3BWrmAGF4YKqsk02AppDY5kJkUqH515rBD53hOhZdznZ2/d0UWsTXWxOHqRE=
X-Received: by 2002:ad4:40c7:: with SMTP id x7mr9933023qvp.7.1589105011718; Sun, 10 May 2020 03:03:31 -0700 (PDT)
MIME-Version: 1.0
From: Beena Santhosh <beenapurushothaman@gmail.com>
Date: Sun, 10 May 2020 15:33:21 +0530
Message-ID: <CAB=KHVUNv9op+kniNuaUJyPKhWQLSYjOfFb+g=4Tg1n4t08ixw@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000bbfe5505a54857b2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/qgklsVy0Q7bFI68M3fQ0wLmnqQE>
Subject: [OAUTH-WG] Usage of Password Grant
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 May 2020 10:18:02 -0000


We have a product with client server architecture where our server manages
thousands of devices. Each device has a client-piece that talks to the
server over SOAP/REST. The client currently uses a HTTP Basic
Authentication (unique id and a secret string) for all the calls. The
secret string is created when the device enrolls to the server. It is
available at the server as well as stored securely on the device. For the
rest calls it is the device that is getting authenticated.

 Sending the credentials every time is less than ideal and we want to move
to some tokenized device authentication. We evaluated OpendID Connect based
on the general recommendation of SSO solution, but the issue is we do not
have any user interaction and hence there is no Grant flow that is fitting.
Hence we evaluated OAuth grant type of which we found Password Grant and
Client Credentials Grant is matching our requirement.

 In order to use Client Credentials in our use case, we need to do dynamic
registration for the thousands of devices managed by the server, if IoT
comes into picture the number is going to be even higher, which is highly
cumbersome to manage.  Also, as per  RFC7591 on dynamic client
registration, using access token for registering client is optional too.
Even though the Password grant is highly discouraged by the spec, we found
it to be highly matching with our requirements.

But as per the Oauth 2.1 proposal, password grant is going to be removed. Can
you suggest the way forward for us? I believe we are not a one-off case.

Thank You,