IETF Logo Mail Archive

Re: [OAUTH-WG] Usage of Password Grant

Mohamed Seada <mohamed.seada.1994@gmail.com> Fri, 15 May 2020 17:44 UTC

Return-Path: <mohamed.seada.1994@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5864C3A0BD6 for <oauth@ietfa.amsl.com>; Fri, 15 May 2020 10:44:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Level:
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i9lqP3cUVWxf for <oauth@ietfa.amsl.com>; Fri, 15 May 2020 10:44:13 -0700 (PDT)
Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9B013A0B11 for <oauth@ietf.org>; Fri, 15 May 2020 10:44:12 -0700 (PDT)
Received: by mail-wm1-x331.google.com with SMTP id f134so3146880wmf.1 for <oauth@ietf.org>; Fri, 15 May 2020 10:44:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=J7A1zY6ebsO6Z1b8YHKaDijwvAYJk9BFnwExt1hu6cY=; b=LxK96WdBZhYK+Vx2ELz2rx8cA9fBk7FdXZJm9NGgjs7wPf9yCodtNQTTZx4fsHUHmw K/ZMxbiqSmRNsy0Te3aYJzi1TKTM9lGam4tmBdbBvFpp0fI008MQfKt6Iwy7+HjZPg11 FzpJPQJ9vEhS9NN0V715iJ9Wqco3ZBOdKtqyUAsZSahmK5ylXWwH9yQVtkbd6ffXt2+W qyObRk3TG3BVlfDCv0O55kUCND1/PgZgfLQxO7WP7OyfD2ZiOcRy8Ph8whARiMAw8DwI jZxSXArCPXaZ1CKO9WUDLFuTlPWu3dyDnp0ddQ6+TkVzVJUFxv0MxMQklkPriRG7gM9b qRmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=J7A1zY6ebsO6Z1b8YHKaDijwvAYJk9BFnwExt1hu6cY=; b=R2xNP28clQG++dipfe1To/rrGVXN7gH3F4O2UdLhKh0f4TNKn96KKautCIAJtjO1h0 1Uz2kFmpu3zBleJzmXR/dCTBxwq3jiuIp6Ib3dFooIENtSjAdzkBHDL5PBfebalIAmIX 5JHuqfbqDkBktVRhWVtXwNrIn5eQqtyi10cRM1MpAZWS1/sB7uYJqjCZ2Anf78/NCDOO AhvU80omsRcyHw9+XA98GmlWmbemLI/boM4jUbNtVrHQIYJIslIrUNsXyBzzMUHQvP39 H/bA8dEmkTmN3LaYYYROiWZXQOLSqxBQcO8ce51HvSluvZwxtKuRsA9P7TX3+/YvPn/X MvZg==
X-Gm-Message-State: AOAM531/FbckJhpgqg/1yzsDRz/XQn4cFn33QIIgv7nOAL4ONjdD5z5P mfBUTk7MqvP41ZKOXBYAI3EDjJYxfVzjHjAJE8DN629K
X-Google-Smtp-Source: ABdhPJwdrEC+a8iWl5FFfWy854ehe+HBjHmWYLzV6KvVHrWlpSpTZOYb8XPvksWqDkEH0NE1+T87iQqY3cOOWWaC5Ug=
X-Received: by 2002:a7b:cc84:: with SMTP id p4mr5459477wma.159.1589564650709; Fri, 15 May 2020 10:44:10 -0700 (PDT)
MIME-Version: 1.0
References: <CAB=KHVUNv9op+kniNuaUJyPKhWQLSYjOfFb+g=4Tg1n4t08ixw@mail.gmail.com> <CAGBSGjqAJ9X7CU_csBJ-eHQQJKCLa4JuR-eqK=2qFURfdLT36g@mail.gmail.com> <CAB=KHVUePF_yqUP_nFcb3cozyxAGBcxUAeFFjPuq7CF=26QgLg@mail.gmail.com> <CAGBSGjpZp4W9WTvJHGN_Mc5ti2rZqTdfnogp3G0BAEqhDFV1rQ@mail.gmail.com> <CAB=KHVVpGM4Comjh_=beuPbaUBZar2vJ9Ap8j27Cy6LnLdzh-w@mail.gmail.com> <CAB=KHVXy790gyhvP-WfXvHMbAVMbJxvRvPUdw-c7o8027mpk+g@mail.gmail.com>
In-Reply-To: <CAB=KHVXy790gyhvP-WfXvHMbAVMbJxvRvPUdw-c7o8027mpk+g@mail.gmail.com>
From: Mohamed Seada <mohamed.seada.1994@gmail.com>
Date: Fri, 15 May 2020 19:44:01 +0200
Message-ID: <CA+3Y_4QmSKbb=GbupSFM9k9hFp=3eG77p0oxz89At-1M9uVemw@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="0000000000005a661305a5b35c51"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/vlna6YcgrIqNvkOBsFUuW8XJ0-g>
Subject: Re: [OAUTH-WG] Usage of Password Grant
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 May 2020 17:44:16 -0000

Hi,

If the client credential is being used by the first-party client, you can
use a generic token that could access any resource.
The need for a password grant here is to identify the resource owner with
his credentials, as this is just for first-party, you don't need his secret
just id.
I think (not in spec.) this could be achieved by adding a new optional
parameter for client credentials resource_owner_id.

Thanks,

On Fri, 15 May 2020, 6:13 pm Beena Santhosh, <beenapurushothaman@gmail.com>
wrote:

> Hi Aaron,
>
> I had a re-look at this and the difference I still see is that I am able
> to use a common client_id with Password Grant, which does not seem possible
> using Credentials Grant. Without Password grant I don't see a way to
> achieve this.
>
> Thank You,
> Beena
>
>
> On Tue, May 12, 2020 at 12:40 PM Beena Santhosh <
> beenapurushothaman@gmail.com> wrote:
>
>> Hi Aaron,
>>
>>
>> What we are planning to build is a Public first party client. As per the
>> spec the client secret is optional for Password Grant. Hence we choose
>> to use a common client_id across all the devices. The first party client on
>> every device  will get the  common client_id through our proprietary API.
>> We found this as a difference between Password Grant and Client credentials
>> grant. We could be wrong but this is our interpretation.  This way we could
>> make use of the rest of the benefits that OAuth provides around access
>> tokens
>>
>>
>> Thank You,
>>
>> Beena
>>
>> On Mon, May 11, 2020 at 11:15 PM Aaron Parecki <aaron@parecki.com> wrote:
>>
>>> With the password grant you'd then need to register 50,000+ user
>>> accounts, right? How is that different from registering that many clients?
>>>
>>> On Mon, May 11, 2020 at 10:39 AM Beena Santhosh <
>>> beenapurushothaman@gmail..com <beenapurushothaman@gmail.com>> wrote:
>>>
>>>> Hi Aaron,
>>>>
>>>> Thank You for the quick response.
>>>>
>>>> We do support  1, 50, 000+ devices and that means we need to register
>>>> those many devices dynamically,  the provider we have evaluated  is not
>>>> supporting that scale . Once we  incorporate IoT, we need to support
>>>> millions of devices. With Password Grant as we need only one client_id it
>>>> is easy to manage. Also our client is First Party client.
>>>>
>>>>
>>>> Thank You,
>>>>
>>>> Beena
>>>>
>>>> On Sun, May 10, 2020 at 7:50 PM Aaron Parecki <aaron@parecki.com>
>>>> wrote:
>>>>
>>>>> Hi Beena,
>>>>>
>>>>> This sounds like a great use of the client credentials grant. The
>>>>> password grant is being removed from OAuth 2.0 by the Security Best Current
>>>>> Practice. Can you clarify what you've found useful about the password grant
>>>>> that the client credentials grant doesn't solve?
>>>>>
>>>>> Aaron Parecki
>>>>>
>>>>>
>>>>> On Sun, May 10, 2020 at 3:18 AM Beena Santhosh <
>>>>> beenapurushothaman@gmail.com> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>>
>>>>>> We have a product with client server architecture where our server
>>>>>> manages thousands of devices. Each device has a client-piece that talks to
>>>>>> the server over SOAP/REST. The client currently uses a HTTP Basic
>>>>>> Authentication (unique id and a secret string) for all the calls. The
>>>>>> secret string is created when the device enrolls to the server. It is
>>>>>> available at the server as well as stored securely on the device. For the
>>>>>> rest calls it is the device that is getting authenticated.
>>>>>>
>>>>>>
>>>>>>
>>>>>>  Sending the credentials every time is less than ideal and we want to
>>>>>> move to some tokenized device authentication. We evaluated OpendID Connect
>>>>>> based on the general recommendation of SSO solution, but the issue is we do
>>>>>> not have any user interaction and hence there is no Grant flow that is
>>>>>> fitting. Hence we evaluated OAuth grant type of which we found Password
>>>>>> Grant and Client Credentials Grant is matching our requirement.
>>>>>>
>>>>>>
>>>>>>
>>>>>>  In order to use Client Credentials in our use case, we need to do
>>>>>> dynamic registration for the thousands of devices managed by the server, if
>>>>>> IoT comes into picture the number is going to be even higher, which is
>>>>>> highly cumbersome to manage.  Also, as per  RFC7591 on dynamic client
>>>>>> registration, using access token for registering client is optional too.
>>>>>> Even though the Password grant is highly discouraged by the spec, we found
>>>>>> it to be highly matching with our requirements.
>>>>>>
>>>>>>
>>>>>>
>>>>>> But as per the Oauth 2.1 proposal, password grant is going to be
>>>>>> removed. Can you suggest the way forward for us? I believe we are
>>>>>> not a one-off case.
>>>>>>
>>>>>>
>>>>>> Thank You,
>>>>>>
>>>>>> Beena
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>
>>>>> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email