Re: [OAUTH-WG] OTP-flow use case (sharing energy data)

2019-01-16 Thread Dave Tonge
Hi Daniel This is the repo: https://bitbucket.org/openid/mobile/src and it has an issue tracker. This is the mailing list: http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile It would be good to get your feedback. Thanks Dave On Wed, 16 Jan 2019 at 15:35, Daniel Roesler wrot

Re: [OAUTH-WG] OTP-flow use case (sharing energy data)

2019-01-16 Thread Daniel Roesler
Thanks Nov and Dave! I have several questions about CIBA. Is this mailing list the appropriate place to ask them or is there another mailing list that is for discussions about CIBA? Daniel Roesler dan...@utilityapi.com On Tue, Jan 15, 2019 at 11:01 PM Dave Tonge wrote: > > Hi Daniel > > This i

Re: [OAUTH-WG] OTP-flow use case (sharing energy data)

2019-01-15 Thread Dave Tonge
Hi Daniel This is an interesting use-case. As mentioned by nov, CIBA could potentially solve this problem. The difference would be step 9 in your user story. Instead of the user entering the code at the kio

Re: [OAUTH-WG] OTP-flow use case (sharing energy data)

2019-01-15 Thread nov matake
Your use case seems fit CIBA which is being defined in OpenID Foundation. The section6 of CIBA spec will describe how your use case fit it. https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#rfc.section.6 CIBA is an extension of OpenID Connect, not OAuth, bu

Re: [OAUTH-WG] OTP-flow use case (sharing energy data)

2019-01-15 Thread Daniel Roesler
Thanks for the reply! Yes, that is essentially what we would like to do. We really like the "here's a code to authorize" part of device-flow, but we are trying to not require the authorization server build a user interface for the user to authenticate themselves and enter the code (because we've f

Re: [OAUTH-WG] OTP-flow use case (sharing energy data)

2019-01-15 Thread Omer Levi Hevroni
Nope, device flow still requires interactive login flow from the user, just on another device. My flow aims for strong device authentication, without any user interaction. My flow has some similarity to oauth client assertion flow - https://tools.ietf.org/html/rfc7523, with modifications for mobile

Re: [OAUTH-WG] OTP-flow use case (sharing energy data)

2019-01-15 Thread Samuel Erdtman
To me this looks similar to the device flow. https://tools.ietf.org/html/draft-ietf-oauth-device-flow-13 See figure 1, my interpretation of what you want to do is to split up step B so that the code goes via another channel and then revers the direction of C and D. So maybe you could ride on som

[OAUTH-WG] OTP-flow use case (sharing energy data)

2019-01-15 Thread Daniel Roesler
Howdy, Rifaat recommended I post to the mailing list. Specifically, I am looking for a mentor and feedback on a potential new OAuth flow (currently called OTP-flow). Background: I am a participant in the California Public Utility Commission's Customer Data Access Committee (CPUC CDAC), and we are