Re: [OAUTH-WG] Usage of Password Grant
Mohamed Seada <mohamed.seada.1994@gmail.com> Fri, 15 May 2020 17:44 UTC
Return-Path: <mohamed.seada.1994@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5864C3A0BD6 for <oauth@ietfa.amsl.com>; Fri, 15 May 2020 10:44:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Level:
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i9lqP3cUVWxf for <oauth@ietfa.amsl.com>; Fri, 15 May 2020 10:44:13 -0700 (PDT)
Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9B013A0B11 for <oauth@ietf.org>; Fri, 15 May 2020 10:44:12 -0700 (PDT)
Received: by mail-wm1-x331.google.com with SMTP id f134so3146880wmf.1 for <oauth@ietf.org>; Fri, 15 May 2020 10:44:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=J7A1zY6ebsO6Z1b8YHKaDijwvAYJk9BFnwExt1hu6cY=; b=LxK96WdBZhYK+Vx2ELz2rx8cA9fBk7FdXZJm9NGgjs7wPf9yCodtNQTTZx4fsHUHmw K/ZMxbiqSmRNsy0Te3aYJzi1TKTM9lGam4tmBdbBvFpp0fI008MQfKt6Iwy7+HjZPg11 FzpJPQJ9vEhS9NN0V715iJ9Wqco3ZBOdKtqyUAsZSahmK5ylXWwH9yQVtkbd6ffXt2+W qyObRk3TG3BVlfDCv0O55kUCND1/PgZgfLQxO7WP7OyfD2ZiOcRy8Ph8whARiMAw8DwI jZxSXArCPXaZ1CKO9WUDLFuTlPWu3dyDnp0ddQ6+TkVzVJUFxv0MxMQklkPriRG7gM9b qRmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=J7A1zY6ebsO6Z1b8YHKaDijwvAYJk9BFnwExt1hu6cY=; b=R2xNP28clQG++dipfe1To/rrGVXN7gH3F4O2UdLhKh0f4TNKn96KKautCIAJtjO1h0 1Uz2kFmpu3zBleJzmXR/dCTBxwq3jiuIp6Ib3dFooIENtSjAdzkBHDL5PBfebalIAmIX 5JHuqfbqDkBktVRhWVtXwNrIn5eQqtyi10cRM1MpAZWS1/sB7uYJqjCZ2Anf78/NCDOO AhvU80omsRcyHw9+XA98GmlWmbemLI/boM4jUbNtVrHQIYJIslIrUNsXyBzzMUHQvP39 H/bA8dEmkTmN3LaYYYROiWZXQOLSqxBQcO8ce51HvSluvZwxtKuRsA9P7TX3+/YvPn/X MvZg==
X-Gm-Message-State: AOAM531/FbckJhpgqg/1yzsDRz/XQn4cFn33QIIgv7nOAL4ONjdD5z5P mfBUTk7MqvP41ZKOXBYAI3EDjJYxfVzjHjAJE8DN629K
X-Google-Smtp-Source: ABdhPJwdrEC+a8iWl5FFfWy854ehe+HBjHmWYLzV6KvVHrWlpSpTZOYb8XPvksWqDkEH0NE1+T87iQqY3cOOWWaC5Ug=
X-Received: by 2002:a7b:cc84:: with SMTP id p4mr5459477wma.159.1589564650709; Fri, 15 May 2020 10:44:10 -0700 (PDT)
MIME-Version: 1.0
References: <CAB=KHVUNv9op+kniNuaUJyPKhWQLSYjOfFb+g=4Tg1n4t08ixw@mail.gmail.com> <CAGBSGjqAJ9X7CU_csBJ-eHQQJKCLa4JuR-eqK=2qFURfdLT36g@mail.gmail.com> <CAB=KHVUePF_yqUP_nFcb3cozyxAGBcxUAeFFjPuq7CF=26QgLg@mail.gmail.com> <CAGBSGjpZp4W9WTvJHGN_Mc5ti2rZqTdfnogp3G0BAEqhDFV1rQ@mail.gmail.com> <CAB=KHVVpGM4Comjh_=beuPbaUBZar2vJ9Ap8j27Cy6LnLdzh-w@mail.gmail.com> <CAB=KHVXy790gyhvP-WfXvHMbAVMbJxvRvPUdw-c7o8027mpk+g@mail.gmail.com>
In-Reply-To: <CAB=KHVXy790gyhvP-WfXvHMbAVMbJxvRvPUdw-c7o8027mpk+g@mail.gmail.com>
From: Mohamed Seada <mohamed.seada.1994@gmail.com>
Date: Fri, 15 May 2020 19:44:01 +0200
Message-ID: <CA+3Y_4QmSKbb=GbupSFM9k9hFp=3eG77p0oxz89At-1M9uVemw@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="0000000000005a661305a5b35c51"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/vlna6YcgrIqNvkOBsFUuW8XJ0-g>
Subject: Re: [OAUTH-WG] Usage of Password Grant
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 May 2020 17:44:16 -0000
Hi, If the client credential is being used by the first-party client, you can use a generic token that could access any resource. The need for a password grant here is to identify the resource owner with his credentials, as this is just for first-party, you don't need his secret just id. I think (not in spec.) this could be achieved by adding a new optional parameter for client credentials resource_owner_id. Thanks, On Fri, 15 May 2020, 6:13 pm Beena Santhosh, <beenapurushothaman@gmail.com> wrote: > Hi Aaron, > > I had a re-look at this and the difference I still see is that I am able > to use a common client_id with Password Grant, which does not seem possible > using Credentials Grant. Without Password grant I don't see a way to > achieve this. > > Thank You, > Beena > > > On Tue, May 12, 2020 at 12:40 PM Beena Santhosh < > beenapurushothaman@gmail.com> wrote: > >> Hi Aaron, >> >> >> What we are planning to build is a Public first party client. As per the >> spec the client secret is optional for Password Grant. Hence we choose >> to use a common client_id across all the devices. The first party client on >> every device will get the common client_id through our proprietary API. >> We found this as a difference between Password Grant and Client credentials >> grant. We could be wrong but this is our interpretation. This way we could >> make use of the rest of the benefits that OAuth provides around access >> tokens >> >> >> Thank You, >> >> Beena >> >> On Mon, May 11, 2020 at 11:15 PM Aaron Parecki <aaron@parecki.com> wrote: >> >>> With the password grant you'd then need to register 50,000+ user >>> accounts, right? How is that different from registering that many clients? >>> >>> On Mon, May 11, 2020 at 10:39 AM Beena Santhosh < >>> beenapurushothaman@gmail..com <beenapurushothaman@gmail.com>> wrote: >>> >>>> Hi Aaron, >>>> >>>> Thank You for the quick response. >>>> >>>> We do support 1, 50, 000+ devices and that means we need to register >>>> those many devices dynamically, the provider we have evaluated is not >>>> supporting that scale . Once we incorporate IoT, we need to support >>>> millions of devices. With Password Grant as we need only one client_id it >>>> is easy to manage. Also our client is First Party client. >>>> >>>> >>>> Thank You, >>>> >>>> Beena >>>> >>>> On Sun, May 10, 2020 at 7:50 PM Aaron Parecki <aaron@parecki.com> >>>> wrote: >>>> >>>>> Hi Beena, >>>>> >>>>> This sounds like a great use of the client credentials grant. The >>>>> password grant is being removed from OAuth 2.0 by the Security Best Current >>>>> Practice. Can you clarify what you've found useful about the password grant >>>>> that the client credentials grant doesn't solve? >>>>> >>>>> Aaron Parecki >>>>> >>>>> >>>>> On Sun, May 10, 2020 at 3:18 AM Beena Santhosh < >>>>> beenapurushothaman@gmail.com> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> >>>>>> We have a product with client server architecture where our server >>>>>> manages thousands of devices. Each device has a client-piece that talks to >>>>>> the server over SOAP/REST. The client currently uses a HTTP Basic >>>>>> Authentication (unique id and a secret string) for all the calls. The >>>>>> secret string is created when the device enrolls to the server. It is >>>>>> available at the server as well as stored securely on the device. For the >>>>>> rest calls it is the device that is getting authenticated. >>>>>> >>>>>> >>>>>> >>>>>> Sending the credentials every time is less than ideal and we want to >>>>>> move to some tokenized device authentication. We evaluated OpendID Connect >>>>>> based on the general recommendation of SSO solution, but the issue is we do >>>>>> not have any user interaction and hence there is no Grant flow that is >>>>>> fitting. Hence we evaluated OAuth grant type of which we found Password >>>>>> Grant and Client Credentials Grant is matching our requirement. >>>>>> >>>>>> >>>>>> >>>>>> In order to use Client Credentials in our use case, we need to do >>>>>> dynamic registration for the thousands of devices managed by the server, if >>>>>> IoT comes into picture the number is going to be even higher, which is >>>>>> highly cumbersome to manage. Also, as per RFC7591 on dynamic client >>>>>> registration, using access token for registering client is optional too. >>>>>> Even though the Password grant is highly discouraged by the spec, we found >>>>>> it to be highly matching with our requirements. >>>>>> >>>>>> >>>>>> >>>>>> But as per the Oauth 2.1 proposal, password grant is going to be >>>>>> removed. Can you suggest the way forward for us? I believe we are >>>>>> not a one-off case. >>>>>> >>>>>> >>>>>> Thank You, >>>>>> >>>>>> Beena >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>> >>>>> _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Usage of Password Grant Beena Santhosh
- Re: [OAUTH-WG] Usage of Password Grant Aaron Parecki
- Re: [OAUTH-WG] Usage of Password Grant Beena Santhosh
- Re: [OAUTH-WG] Usage of Password Grant Evert Pot
- Re: [OAUTH-WG] Usage of Password Grant Beena Santhosh
- Re: [OAUTH-WG] Usage of Password Grant Mohamed Seada