I didn't think this all the way through, but my immediate thought is, doesn't the JWT Bearer directly support this already: https://www.rfc-editor.org/rfc/rfc7523
It's not an exact match but I believe most if not all of it follows pretty well. If it doesn't, it might be interesting to improve the current JWT Bearer with whatever is missing. On the surface one of the things that is missing is the nonce that is generated by the AS as part of the login or sign up request, as well as the sign up flow to register. Although I'm thinking what is really missing is "dynamic user registration", although I don't believe that is covered by any of the other grants, so maybe we ignore that part for now. This is an interesting thought though, I'd be happy to collaborate on this if this is a direction you end up going. - Warren On Fri, Dec 23, 2022 at 7:45 PM Malla Simhachalam < mallasimhacha...@gmail.com> wrote: > Hello All, > > Hope you are all doing great. We have been thinking of creating a > proposal for a new OAuth2 authorization grant based on the FIDO > credentials, please let us know your thoughts so that we can put together a > draft proposal. > > /****** > > Abstract: FIDO Profile for OAuth2.0 Authorization Grants > > Fast Identity Online (FIDO) and WebAuthn are open standards that define > strong cryptographic credentials that are alternatives to passwords for > accessing websites and apps with secure and faster login experiences for > users. FIDO and WebAuthn protocols have been developed through FIDO > Alliance and W3C standard bodies. The OAuth 2.0 Authorization Framework [ > RFC6749 <https://www.rfc-editor.org/rfc/rfc6749>] provides a method for > making authenticated HTTP requests to a resource using an access token. > Access tokens are issued to third-party clients by an authorization server > (AS) with the (sometimes implicit) approval of the resource owner. In > OAuth, an authorization grant is an abstract term used to describe > intermediate credentials that represent the resource owner authorization. > An authorization grant is used by the client to obtain an access token. > Several authorization grant types are defined to support a wide range of > client types and user experiences. OAuth also allows for the definition of > new extension grant types to support additional clients or to provide a > bridge between OAuth and other trust frameworks. > > This proposal defines a new authorization grant and how FIDO credentials > can be used to obtain an access token. FIDO credentials are resource owners > credentials directly as an authorization grant to obtain an access token. > The credentials should only be used when there is a high degree of trust > between the resource owner and the client. Even though this grant type > requires direct client access to the resource owner credentials, the > resource owner credentials are used for a single request and are exchanged > for an access token. > > > Token endpoint sample: > > POST v1/oauth2/token HTTP/1.1 > > Host: authz.example.net > > Content-Type: application/x-www-form-urlencoded > > grant_type=urn:ietf:params:oauth:grant-type:webauthn-assertion > > &webauthn_assertion=<authenticator_assertion_response> > > : > > HTTP/1.1 200 OK > > Content-Type:application/json > > { > > “access_token” : “A23.xjHEJEH830JLD”, > > “expires_in” : 900 > > } > ***/ > > Thanks, > Malla > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
