Hi Omer and welcome to the Oauth WG, On 14/02/18 22:48, Omer Levi Hevroni wrote: > Hello > My name is Omer, and I am working at Soluto. We wanted to find a way to > authenticate our mobile application, without any user interaction - as this > will affect the user experience. We developed a new authentication flow, > similar to JWT client assertion. I've gave a talk about this flow in a few > conferences, and the main feedback was that it is interesting enough to > consider writing a RFC about it. > Currently I'm looking to hear more opinions before starting to write RFC - > so any feedback will be appreciated. I'm also looking for someone to help > me getting started and reviewing the RFC - if you're interested let me know. > To find more about this solution: > - This is a blog post describing it: https://blog.solutotlv.com > /userless-mobile-authentication/ > - This is a link to the slides (recording should be available soon): > https://www.slideshare.net/SolutoTLV/authentication-w > ithout-authentication-appsec-california Looks like a neat protocol to maintain a continuous auth session between client and AS.
Did you take a look at https://tools.ietf.org/html/rfc7523#section-2.1 ? This may be more suitable to pass the JWT, rather than tunneling it via the password grant. Vladimir
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth