[Openid-specs-ab] grant_type=fido2 / WWW-Authenticate: fido2 / display=fido2

Fri Jul 14 14:18:17 UTC 2023

Aaron,

Thanks for responding! I know it's summer and everyone is relaxing, with 
little time to ponder FIDO / OpenID integration.

I thought about posting this idea to the OAuth mailing list. But in the 
end, it's really about person authentication--the end result is the 
issuance of a new id_token. And `display=fido` relates to the end user 
authn experience. So net-net, it seems more like an OpenID recipe.

I'm sort of surprised that I'm the first person suggesting this... it 
seems so obvious. I thought the EAP work group (not sure of the status) 
was figuring out how to get FIDO and OpenID to work together.

- Mike

On 2023-07-13 17:27, Aaron Parecki wrote:
> Hi Mike,
> 
> Will you be at the next IETF meeting in San Francisco? I'm going to be
> presenting some work there that has some similar overlap to this and
> would love to chat about this more to see if we can combine forces on
> it.
> 
> Aaron
> 
> On Thu, Jul 13, 2023 at 12:59 PM Michael Schwartz via
> Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
> 
>> OpenIDenterati,
>> 
>> I'm working on a design for first party mobile app authentication.
>> I'd
>> like to use FIDO, but only backchannel authentication. The idea is
>> to
>> use the standard FIDO sdk in iOS and Android. FIDO authn by itself
>> is
>> not enough--we also need access tokens to call a backend API.
>> 
>> Does anyone think it's feasible to create a "fido2" OAuth grant
>> type? My
>> thought is that the client would send an id_token with the OAuth
>> token
>> request, and if the AS doesn't like it, it would return:
>> 
>> 401/Unauthorized
>> WWW-Authenticate: fido
>> 
>> The client then would then FIDO2 authenticate the person, using a
>> string
>> value from the FIDO authn response as a reference token to obtain a
>> new
>> id_token at the authorize endpoint, using the authn request param
>> display=fido2.
>> 
>> Is this a crazy idea?
>> 
>> thx,
>> 
>> Mike
>> 
>> PS: If you want to see an overview of the entire flow, see this wiki
>> 
>> page:
>> https://github.com/JanssenProject/jans/wiki/Mobile-DPoP-FIDO-Authn
>> 
>> --------------------------------------
>> Michael Schwartz
>> Gluu
>> Founder / CEO
>> mike at gluu.org
>> https://www.linkedin.com/in/nynymike/
>> 
>> ----
>> IMPORTANT: The contents of this email and any attachments are
>> confidential. They are intended for the named recipient(s) only. If
>> you have received this email by mistake, please notify the sender
>> immediately and do not disclose the contents to anyone or make
>> copies thereof. All views and opinions expressed in this email
>> message are the personal opinions of the author and do not represent
>> those of the GLUU Inc. No liability can be held for any damages,
>> however, caused, to any recipients of this message. No employee or
>> agent is authorized to conclude any binding agreement on behalf of
>> the company with another party by email without specific
>> confirmation.
>> 
>> 600 Congress Ave., 14th Floor, Austin TX 78701
>> 
>> GLUU Privacy Policy(https://gluu.org/gluu-privacy-policy/)
>> 
>> To unsubscribe please forward this email to unsubscribe at gluu.org
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/openid-specs-ab

----
IMPORTANT: The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email by mistake, please notify the sender immediately and do not disclose the contents to anyone or make copies thereof. All views and opinions expressed in this email message are the personal opinions of the author and do not represent those of the GLUU Inc. No liability can be held for any damages, however, caused, to any recipients of this message. No employee or agent is authorized to conclude any binding agreement on behalf of the company with another party by email without specific confirmation.

600 Congress Ave., 14th Floor, Austin TX 78701

GLUU Privacy Policy(https://gluu.org/gluu-privacy-policy/) 

To unsubscribe please forward this email to unsubscribe at gluu.org