Re: [OAUTH-WG] One-time token login

I just formed a strong opinion, so I apologize if this comes across as if I know something in the area. I think the warning is key here: [image: image.png] And in reality the WebOTP verification of phone numbers is actually a work around for establishing client access via the real AS which in this

Re: [OAUTH-WG] One-time token login

Thanks Neil & Hans, Our AS doesn't do jwt quite yet. It's in-house, but open source. We don't have rfc7523 yet, but this does sounds like a pretty great longer-term solution. We're a bit time constrained, so perhaps this feature just needs to be done as a one-off before we can do RFC7523 for r

Re: [OAUTH-WG] One-time token login

One option is JWT Bearer grant with “jti” and replay prevention (https://tools.ietf.org/html/rfc7523#page-7 ) if your AS supports it. This is nice if some other component is generating the emails as it needs no coordination with the AS. — Neil > On 2 Mar 2021, at 19:04, Evert Pot wrote: > >

Re: [OAUTH-WG] One-time token login

IMHO this use case is about proving the ownership of an e-mail address to authenticate the user to obtain an access token. The authorization code is not really suitable because it is supposed to be short lived and (more or less by induction) supposed to be associated with an account at the AS. I'd

Re: [OAUTH-WG] One-time token login

I agree that it seems strange to use the authorization code in such a manner, though I can see how it could work on a technical basis. While it’s not an exact match, you might want to look at the Device Grant: https://tools.ietf.org/html/rfc8628 Here you i

[OAUTH-WG] One-time token login

Dear list, We have a requirement to let users log in to an application via a code sent by email. This code needs to be exchanged for an access/refresh token pair, and should only work once. The access/refresh token scope would give limited access to the application. Since we already use the