[Openid-specs-ab] Using OIDC for "device authentication"

rich levinson rich.levinson at oracle.com
Tue Oct 3 17:46:05 UTC 2017 

Hi George and Adam,

My thought on this is that if one had a cell phone w a public/private key pair,
and the pub key was registered w the az-svr, then there is really very little
difference between the user and the device. i.e. my device, my key pair.
All you'd need to do is have the user "sign" something w the priv key
in order to login to the az-svr.

One could even add user pwd for 2nd factor.

   Thanks,
   Rich


On 10/3/2017 1:18 AM, Adam Dawes wrote:
> We do a flavor of this with Firebase Anonymous Authentication <https://urldefense.proofpoint.com/v2/url?u=https-3A__firebase.google.com_docs_auth_web_anonymous-2Dauth&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=nNxUKneeZofWTyt9qclOUTeEg29NkEkknFyDupoNiiA&m=Xwi3O3eZcSOK5P6hT-1k3HZeA2XoGamiQ395_C86bjA&s=7Wlhl-nc9OmCOJ44udUT6M9mmpo8U-mgavRv5rhB9tg&e=>. It's not exactly a device ID, because the token still includes a normal sub like a typical login. However, there isn't any profile data or backing credential for that "account", so for practical purposes it can only be used on that device. The benefit of doing this, is it allows the user to be "upgraded" to a regular account by decorating the anonymous account with profile data and a login method. This is great for shopping cart scenarios where the underlying app logic can store data for the user and perform other logic on the user in a "logged out" state.
>
> On Mon, Oct 2, 2017 at 6:52 PM, George Fletcher via Openid-specs-ab <openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>> wrote:
>
>     Hi Rich,
>
>     Yes that would work though it requires the user to know the client credentials. That might be weird for a consumer to know and for public clients that don't have a secret would mean just the client_id. I'll have to think about this.
>
>     Thanks,
>     George
>
>
>     On 10/2/17 7:00 PM, rich levinson wrote:
>
>         Hi George,
>
>         I have not explicitly verified this, however, I would imagine that a user
>         using a client device could, in theory, launch a request using the
>         OIDC Authorization Code flow from that device, where the user could
>         provide the client creds for login, and if the az-svr accepted that for
>         login then the identity and access tokens would have the device
>         id as the subject, I think.
>
>           Thanks,
>           Rich
>
>
>         On 10/2/2017 11:46 AM, George Fletcher via Openid-specs-ab wrote:
>
>             I'm just curious if anyone else has looked at trying to leverage the OIDC redirect flow but instead of doing end-user authentication... authenticating the device. I have a use case where one property needs to redirect the device to the OP and get back a code to exchange for tokens. The "subject" of the token is the device identifier not the end-user.
>
>             I realize that OIDC was not really designed for this, but it does have a lot of the protections needed for redirect based protocols:)
>
>             Thanks,
>             George
>             _______________________________________________
>             Openid-specs-ab mailing list
>             Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
>             https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=nNxUKneeZofWTyt9qclOUTeEg29NkEkknFyDupoNiiA&m=LgekHGfZDUzU6dr1ZRnSu0aa0liugt0dIscH-h0G4dA&s=O5ro-n7tpA2ELCf1k_v4zw3i40SUE-OBmxvH_CbBbJk&e= <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=nNxUKneeZofWTyt9qclOUTeEg29NkEkknFyDupoNiiA&m=LgekHGfZDUzU6dr1ZRnSu0aa0liugt0dIscH-h0G4dA&s=O5ro-n7tpA2ELCf1k_v4zw3i40SUE-OBmxvH_CbBbJk&e=>
>
>
>
>
>
>     _______________________________________________
>     Openid-specs-ab mailing list
>     Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
>     http://lists.openid.net/mailman/listinfo/openid-specs-ab <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=nNxUKneeZofWTyt9qclOUTeEg29NkEkknFyDupoNiiA&m=Xwi3O3eZcSOK5P6hT-1k3HZeA2XoGamiQ395_C86bjA&s=8Z0YauP46FVl1yoODHHIOSxJp-ABEqkMrzcmP34MS7s&e=>
>
>
>
>
> -- 
> Adam Dawes | Sr. Product Manager |adawes at google.com <mailto:adawes at google.com> | +1 650-214-2410
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20171003/5a363c7b/attachment.html>

More information about the Openid-specs-ab mailing list