Hi Aaron
as you can see from my July proposal, I was not suggesting to use the token endpoint in isolation for FIDO2. Rather it would remain 'as is' and return an access token to the client (but a short lived one), by supporting two new grant types (for FIDO regn and FIDO authn). I was proposing that the authz endpoint is enhanced to support the initial steps of FIDO registration and FIDO authentication. This seems more natural to me. The authz endpoint with a FIDO authn request would act more like the refreshing of an access token, meaning that the token endpoint never issues refresh tokens, but only short lived access tokens. Then clients do not need to store insecure software based access tokens after the transaction with the resource server is complete.
Kind regards
David
Here's a version of this that my colleague wrote up in August for this grant, we're definitely interested in exploring this further. It is also missing the nonce/server challenge part, but it's a start.
Aaron
On Fri, Dec 23, 2022 at 1:37 PM David Chadwick <d.w.chadw...@verifiablecredentials.info> wrote:
_______________________________________________Yes, I already proposed this to the OpenID4VCs working group. You can see my proposal here
https://bitbucket.org/openid/connect/issues/1542/support-for-fido-authentication
This proposes two new authorization grant types of "FIDO Registration" and "FIDO Authentication".
Kind regards
David
On 23/12/2022 00:40, Malla Simhachalam wrote:
Hello All,
Hope you are all doing great. We have been thinking of creating a proposal for a new OAuth2 authorization grant based on the FIDO credentials, please let us know your thoughts so that we can put together a draft proposal.
/******Abstract: FIDO Profile for OAuth2.0 Authorization Grants
Fast Identity Online (FIDO) and WebAuthn are open standards that define strong cryptographic credentials that are alternatives to passwords for accessing websites and apps with secure and faster login experiences for users. FIDO and WebAuthn protocols have been developed through FIDO Alliance and W3C standard bodies. The OAuth 2.0 Authorization Framework [RFC6749] provides a method for making authenticated HTTP requests to a resource using an access token. Access tokens are issued to third-party clients by an authorization server (AS) with the (sometimes implicit) approval of the resource owner. In OAuth, an authorization grant is an abstract term used to describe intermediate credentials that represent the resource owner authorization. An authorization grant is used by the client to obtain an access token. Several authorization grant types are defined to support a wide range of client types and user experiences. OAuth also allows for the definition of new extension grant types to support additional clients or to provide a bridge between OAuth and other trust frameworks.
This proposal defines a new authorization grant and how FIDO credentials can be used to obtain an access token. FIDO credentials are resource owners credentials directly as an authorization grant to obtain an access token. The credentials should only be used when there is a high degree of trust between the resource owner and the client. Even though this grant type requires direct client access to the resource owner credentials, the resource owner credentials are used for a single request and are exchanged for an access token.
Token endpoint sample:
POST v1/oauth2/token HTTP/1.1
Host: authz.example.net
Content-Type: application/x-www-form-urlencoded
grant_type=urn:ietf:params:oauth:grant-type:webauthn-assertion
&webauthn_assertion=<authenticator_assertion_response>
:
HTTP/1.1 200 OK
Content-Type:application/json
{
“access_token” : “A23.xjHEJEH830JLD”,
“expires_in” : 900
}
***/
Thanks,Malla
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
