We’ve looked at this with XYZ, and one of the patterns that’s possible with the backchannel-first flow is to have the server send a challenge back to the client which the client can then respond to, for example by signing it with a FIDO style device key. Depending on the system, the client could identify the user in the first request or the credential could carry the identification directly. You need an “extra” round trip compared to OAuth2 style flows, but it makes life a whole lot simpler for this kind of user authn.
— Justin > On Apr 9, 2020, at 4:09 AM, Daniel Fett <f...@danielfett.de> wrote: > > > Am 09.04.20 um 09:55 schrieb Rob Otto: >> I'd imagine you have to pre-register each client and then use HOTP or TOTP >> to generate one-time passcodes. >> > > I can come up with a couple of other ways as well, but I'm interested to hear > what Francis sees "in the wild". > > -Daniel > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth