Hello All, Hope you are all doing great. We have been thinking of creating a proposal for a new OAuth2 authorization grant based on the FIDO credentials, please let us know your thoughts so that we can put together a draft proposal.
/****** Abstract: FIDO Profile for OAuth2.0 Authorization Grants Fast Identity Online (FIDO) and WebAuthn are open standards that define strong cryptographic credentials that are alternatives to passwords for accessing websites and apps with secure and faster login experiences for users. FIDO and WebAuthn protocols have been developed through FIDO Alliance and W3C standard bodies. The OAuth 2.0 Authorization Framework [ RFC6749 <https://www.rfc-editor.org/rfc/rfc6749>] provides a method for making authenticated HTTP requests to a resource using an access token. Access tokens are issued to third-party clients by an authorization server (AS) with the (sometimes implicit) approval of the resource owner. In OAuth, an authorization grant is an abstract term used to describe intermediate credentials that represent the resource owner authorization. An authorization grant is used by the client to obtain an access token. Several authorization grant types are defined to support a wide range of client types and user experiences. OAuth also allows for the definition of new extension grant types to support additional clients or to provide a bridge between OAuth and other trust frameworks. This proposal defines a new authorization grant and how FIDO credentials can be used to obtain an access token. FIDO credentials are resource owners credentials directly as an authorization grant to obtain an access token. The credentials should only be used when there is a high degree of trust between the resource owner and the client. Even though this grant type requires direct client access to the resource owner credentials, the resource owner credentials are used for a single request and are exchanged for an access token. Token endpoint sample: POST v1/oauth2/token HTTP/1.1 Host: authz.example.net Content-Type: application/x-www-form-urlencoded grant_type=urn:ietf:params:oauth:grant-type:webauthn-assertion &webauthn_assertion=<authenticator_assertion_response> : HTTP/1.1 200 OK Content-Type:application/json { “access_token” : “A23.xjHEJEH830JLD”, “expires_in” : 900 } ***/ Thanks, Malla
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth