Hi,
We have a product with client server architecture where our server manages thousands of devices. Each device has a client-piece that talks to the server over SOAP/REST. The client currently uses a HTTP Basic Authentication (unique id and a secret string) for all the calls. The secret string is created when the device enrolls to the server. It is available at the server as well as stored securely on the device. For the rest calls it is the device that is getting authenticated. Sending the credentials every time is less than ideal and we want to move to some tokenized device authentication. We evaluated OpendID Connect based on the general recommendation of SSO solution, but the issue is we do not have any user interaction and hence there is no Grant flow that is fitting. Hence we evaluated OAuth grant type of which we found Password Grant and Client Credentials Grant is matching our requirement. In order to use Client Credentials in our use case, we need to do dynamic registration for the thousands of devices managed by the server, if IoT comes into picture the number is going to be even higher, which is highly cumbersome to manage. Also, as per RFC7591 on dynamic client registration, using access token for registering client is optional too. Even though the Password grant is highly discouraged by the spec, we found it to be highly matching with our requirements. But as per the Oauth 2.1 proposal, password grant is going to be removed. Can you suggest the way forward for us? I believe we are not a one-off case. Thank You, Beena
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
