Ok, thanks for the clarification.
Your point about a user with multiple devices is correct - but it is by
design. The goal of this protocol is to allow device authentication - there
is no information about the user. Therefore, there is also no way to
associate devices to a user. It creates challeng
I understand better, thanks!
>From an OAuth perspective, this is a client credentials grant. You have
added some other checks that may or may not help the security profile, but
at the core, you have a private key on the device that is the primary
credential, and is device oriented.
FWIW: there ar
Ok, let me try.
At the company where I work, we have an app that is used by our users. We
want to have a way to authenticate the requests from the application,
without requiring the user to perform any interactive login flow. I
described it more in-depth in the blog post -
https://blog.solutotlv.c
More detail on the scenario would help.
On Fri, Nov 9, 2018 at 2:04 AM Omer Levi Hevroni wrote:
> Yes, that is correct.
> I'm sorry the confusion, I think this confusion is built into
> oauth framework itself.
> You understood well the scenario - I have an application running on an
> untrusted d
Yes, that is correct.
I'm sorry the confusion, I think this confusion is built into
oauth framework itself.
You understood well the scenario - I have an application running on an
untrusted device in an untrusted network. I looked for a way to
authenticate the requests from the device to AS.
Does it
Omar
As promised, I have reviewed the ID[1] you posted. I'm confused in the
Motivation by the references to authentication, as OAuth is about
authorization.
Perhaps you can post to the list the use case you are trying to solve for?
I can infer aspects, but don't fully understand it.
>From what I
