[Openid-specs-ab] grant_type=fido2 / WWW-Authenticate: fido2 / display=fido2
Aaron Parecki
aaron at parecki.com
Thu Jul 13 22:27:11 UTC 2023
Hi Mike,
Will you be at the next IETF meeting in San Francisco? I'm going to be
presenting some work there that has some similar overlap to this and would
love to chat about this more to see if we can combine forces on it.
Aaron
On Thu, Jul 13, 2023 at 12:59 PM Michael Schwartz via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:
>
> OpenIDenterati,
>
> I'm working on a design for first party mobile app authentication. I'd
> like to use FIDO, but only backchannel authentication. The idea is to
> use the standard FIDO sdk in iOS and Android. FIDO authn by itself is
> not enough--we also need access tokens to call a backend API.
>
> Does anyone think it's feasible to create a "fido2" OAuth grant type? My
> thought is that the client would send an id_token with the OAuth token
> request, and if the AS doesn't like it, it would return:
>
> 401/Unauthorized
> WWW-Authenticate: fido
>
> The client then would then FIDO2 authenticate the person, using a string
> value from the FIDO authn response as a reference token to obtain a new
> id_token at the authorize endpoint, using the authn request param
> display=fido2.
>
> Is this a crazy idea?
>
> thx,
>
> Mike
>
> PS: If you want to see an overview of the entire flow, see this wiki
> page:
> https://github.com/JanssenProject/jans/wiki/Mobile-DPoP-FIDO-Authn
>
>
> --------------------------------------
> Michael Schwartz
> Gluu
> Founder / CEO
> mike at gluu.org
> https://www.linkedin.com/in/nynymike/
>
> ----
> IMPORTANT: The contents of this email and any attachments are
> confidential. They are intended for the named recipient(s) only. If you
> have received this email by mistake, please notify the sender immediately
> and do not disclose the contents to anyone or make copies thereof. All
> views and opinions expressed in this email message are the personal
> opinions of the author and do not represent those of the GLUU Inc. No
> liability can be held for any damages, however, caused, to any recipients
> of this message. No employee or agent is authorized to conclude any binding
> agreement on behalf of the company with another party by email without
> specific confirmation.
>
> 600 Congress Ave., 14th Floor, Austin TX 78701
>
> GLUU Privacy Policy(https://gluu.org/gluu-privacy-policy/)
>
> To unsubscribe please forward this email to unsubscribe at gluu.org
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20230713/7468d8cf/attachment.html>
More information about the Openid-specs-ab
mailing list