Thanks Dick, Our use case is to connect IoT devices to a cloud service. The cloud service has to authenticate those devices. The devices are not operated by humans. They run on its own.
We want public key-based authentication for those devices. In that case, mutual TLS is a popular option (e.g. AWS IoT Core). However, we don't want to use mutual TLS for several reasons (e.g. it's too coupled with the transport layer). So, we are seeking a solution that is more in application layer. Toshio Ito From: Dick Hardt <[email protected]> Sent: Friday, October 1, 2021 12:53 PM To: ito toshio(伊藤 俊夫 ○RDC□IT研○CNL) <[email protected]> Cc: [email protected] Subject: Re: [OAUTH-WG] self-issued access tokens Would be useful to understand your use case and what you the goals and constraints are On Thu, Sep 30, 2021 at 5:58 PM <[email protected]<mailto:[email protected]>> wrote: Thanks Dick, I agree. The scenario of self-issued access tokens doesn't really follow the model of OAuth. So, if we do standardize self-issued access tokens, maybe OAUTH WG is not the right venue. Maybe HTTPBIS or HTTPAPI WGs? Toshio Ito From: Dick Hardt <[email protected]<mailto:[email protected]>> Sent: Wednesday, September 29, 2021 3:06 PM To: ito toshio(伊藤 俊夫 ○RDC□IT研○CNL) <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> Subject: Re: [OAUTH-WG] self-issued access tokens If the client is sending a self-signed JWT to the RS, you essentially are just authenticating directly to the RS. Not really OAuth as the RS has not delegated authorization authority to the AS. If the client sends a self-signed JWT (a PAR) to the AS, and gets back an access token to present to the RS, you get centralized authorization decisions, a key feature of OAuth.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
