[OAUTH-WG] Usage of Password Grant
Beena Santhosh <beenapurushothaman@gmail.com> Sun, 10 May 2020 10:03 UTC
Return-Path: <beenapurushothaman@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADEF73A0860 for <oauth@ietfa.amsl.com>; Sun, 10 May 2020 03:03:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id plkTc-FPkqzV for <oauth@ietfa.amsl.com>; Sun, 10 May 2020 03:03:33 -0700 (PDT)
Received: from mail-qv1-xf31.google.com (mail-qv1-xf31.google.com [IPv6:2607:f8b0:4864:20::f31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B4393A085D for <oauth@ietf.org>; Sun, 10 May 2020 03:03:32 -0700 (PDT)
Received: by mail-qv1-xf31.google.com with SMTP id 59so3124427qva.13 for <oauth@ietf.org>; Sun, 10 May 2020 03:03:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=cnq0h3GoA/3OFlTVMNdHUEmCSNoV/56RRTz1H+qLtBM=; b=ml4opn2L+qML7IfVVre2ihxaR5/nbSXiczzouZc/NWSGmAARg0Es6NGngC5XK6cZH8 AoT8sZCYLlE4+fUasO6fTc0sd2EV8z27rr3JgpcEwWhCM5Dg6TB2jChs3Y6Rv0SVQB9j BBrmbbgOENDsAJqncwfckp0El5R9mcqkEWQICalL4ZmhjDxsb0Oc/0BeYZM62jN/x1mc dVnljKtwGNpDInMDe6jdNUOQelePuxywYykF2AI6mld2TbWe2ulytjaGHX3q/KMstrDD ZPupyPBKzpSFWHjVCxzkmIi4b09D5vtu/6Y1+x44u9gg4xmpDG/StGeox5O2PPhNDGPl Ra8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=cnq0h3GoA/3OFlTVMNdHUEmCSNoV/56RRTz1H+qLtBM=; b=NlFa4h8VzAlHgAhOLA5qpMwDr3NXKlmr9nx+90E9oQNeJsaYi+orK2cp2qco5QWNKx mI0Cs8WncHm29H2b+jAn9uZ+L02osS4UeFwuZvTL00IPEEDxh5kG6iidB5Pn9hR6+w0w hk5d6A8v76QQE5kAWj82ukXw0L/EorwopTp/ZXqmr3TVOyug9tWRPh7Ci5PFs0MEoJoi ZyNc595Sw0rkDtrVXRMrN9UxtqgJ4Cxg1hucTuIK2I3eFVYlCD4l1FRVYz6+/fORjyPB 0HYxpXYg9Yucf5uyyS3KakrQNQzr6jpcGkZPuzqrmt4+6/XsNvo5HrWfa9Lgw8zXUTHZ X9pA==
X-Gm-Message-State: AGi0Pua/qn71g5N0KysW9xMPnAWw9nDWy1jzjDymeiaWUnXn2vM5HZI9 4JwSFaVvMwCOFpOKR919UwIKiVvt+fjj/KQVk7Zr8IrZLUY=
X-Google-Smtp-Source: APiQypJ6IZiuuNp8c5y2ytOdNyeh6Nh3BWrmAGF4YKqsk02AppDY5kJkUqH515rBD53hOhZdznZ2/d0UWsTXWxOHqRE=
X-Received: by 2002:ad4:40c7:: with SMTP id x7mr9933023qvp.7.1589105011718; Sun, 10 May 2020 03:03:31 -0700 (PDT)
MIME-Version: 1.0
From: Beena Santhosh <beenapurushothaman@gmail.com>
Date: Sun, 10 May 2020 15:33:21 +0530
Message-ID: <CAB=KHVUNv9op+kniNuaUJyPKhWQLSYjOfFb+g=4Tg1n4t08ixw@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000bbfe5505a54857b2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/qgklsVy0Q7bFI68M3fQ0wLmnqQE>
Subject: [OAUTH-WG] Usage of Password Grant
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 May 2020 10:18:02 -0000
Hi, We have a product with client server architecture where our server manages thousands of devices. Each device has a client-piece that talks to the server over SOAP/REST. The client currently uses a HTTP Basic Authentication (unique id and a secret string) for all the calls. The secret string is created when the device enrolls to the server. It is available at the server as well as stored securely on the device. For the rest calls it is the device that is getting authenticated. Sending the credentials every time is less than ideal and we want to move to some tokenized device authentication. We evaluated OpendID Connect based on the general recommendation of SSO solution, but the issue is we do not have any user interaction and hence there is no Grant flow that is fitting. Hence we evaluated OAuth grant type of which we found Password Grant and Client Credentials Grant is matching our requirement. In order to use Client Credentials in our use case, we need to do dynamic registration for the thousands of devices managed by the server, if IoT comes into picture the number is going to be even higher, which is highly cumbersome to manage. Also, as per RFC7591 on dynamic client registration, using access token for registering client is optional too. Even though the Password grant is highly discouraged by the spec, we found it to be highly matching with our requirements. But as per the Oauth 2.1 proposal, password grant is going to be removed. Can you suggest the way forward for us? I believe we are not a one-off case. Thank You, Beena
- [OAUTH-WG] Usage of Password Grant Beena Santhosh
- Re: [OAUTH-WG] Usage of Password Grant Aaron Parecki
- Re: [OAUTH-WG] Usage of Password Grant Beena Santhosh
- Re: [OAUTH-WG] Usage of Password Grant Evert Pot
- Re: [OAUTH-WG] Usage of Password Grant Beena Santhosh
- Re: [OAUTH-WG] Usage of Password Grant Mohamed Seada