[Openid-specs-ab] grant_type=fido2 / WWW-Authenticate: fido2 / display=fido2

[Michael Schwartz]

OpenIDenterati,

I'm working on a design for first party mobile app authentication. I'd 
like to use FIDO, but only backchannel authentication. The idea is to 
use the standard FIDO sdk in iOS and Android. FIDO authn by itself is 
not enough--we also need access tokens to call a backend API.

Does anyone think it's feasible to create a "fido2" OAuth grant type? My 
thought is that the client would send an id_token with the OAuth token 
request, and if the AS doesn't like it, it would return:

401/Unauthorized
WWW-Authenticate: fido

The client then would then FIDO2 authenticate the person, using a string 
value from the FIDO authn response as a reference token to obtain a new 
id_token at the authorize endpoint, using the authn request param 
display=fido2.

Is this a crazy idea?

thx,

Mike

PS: If you want to see an overview of the entire flow, see this wiki 
page:
  https://github.com/JanssenProject/jans/wiki/Mobile-DPoP-FIDO-Authn


--------------------------------------
Michael Schwartz
Gluu
Founder / CEO
mike at gluu.org
https://www.linkedin.com/in/nynymike/

----
IMPORTANT: The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email by mistake, please notify the sender immediately and do not disclose the contents to anyone or make copies thereof. All views and opinions expressed in this email message are the personal opinions of the author and do not represent those of the GLUU Inc. No liability can be held for any damages, however, caused, to any recipients of this message. No employee or agent is authorized to conclude any binding agreement on behalf of the company with another party by email without specific confirmation.

600 Congress Ave., 14th Floor, Austin TX 78701

GLUU Privacy Policy(https://gluu.org/gluu-privacy-policy/) 

To unsubscribe please forward this email to unsubscribe at gluu.org