<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi George and Adam,<br>
<br>
My thought on this is that if one had a cell phone w a
public/private key pair,<br>
and the pub key was registered w the az-svr, then there is really
very little<br>
difference between the user and the device. i.e. my device, my key
pair.<br>
All you'd need to do is have the user "sign" something w the priv
key<br>
in order to login to the az-svr.<br>
<br>
One could even add user pwd for 2nd factor.<br>
<br>
Thanks,<br>
Rich<br>
<br>
<br>
<div class="moz-cite-prefix">On 10/3/2017 1:18 AM, Adam Dawes wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAOJhRMbLo5UwRPOKTf2fEVh7EB-VAh1P7mu7zKekrL7K6-jrog@mail.gmail.com">
<div dir="ltr">We do a flavor of this with <a
href="https://urldefense.proofpoint.com/v2/url?u=https-3A__firebase.google.com_docs_auth_web_anonymous-2Dauth&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=nNxUKneeZofWTyt9qclOUTeEg29NkEkknFyDupoNiiA&m=Xwi3O3eZcSOK5P6hT-1k3HZeA2XoGamiQ395_C86bjA&s=7Wlhl-nc9OmCOJ44udUT6M9mmpo8U-mgavRv5rhB9tg&e="
moz-do-not-send="true">Firebase Anonymous Authentication</a>.
It's not exactly a device ID, because the token still includes a
normal sub like a typical login. However, there isn't any
profile data or backing credential for that "account", so for
practical purposes it can only be used on that device. The
benefit of doing this, is it allows the user to be "upgraded" to
a regular account by decorating the anonymous account with
profile data and a login method. This is great for shopping cart
scenarios where the underlying app logic can store data for the
user and perform other logic on the user in a "logged out"
state. </div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Oct 2, 2017 at 6:52 PM, George
Fletcher via Openid-specs-ab <span dir="ltr"><<a
href="mailto:openid-specs-ab@lists.openid.net"
target="_blank" moz-do-not-send="true">openid-specs-ab@lists.openid.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Rich,<br>
<br>
Yes that would work though it requires the user to know the
client credentials. That might be weird for a consumer to
know and for public clients that don't have a secret would
mean just the client_id. I'll have to think about this.<br>
<br>
Thanks,<br>
George
<div class="HOEnZb">
<div class="h5"><br>
<br>
On 10/2/17 7:00 PM, rich levinson wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi George,<br>
<br>
I have not explicitly verified this, however, I would
imagine that a user<br>
using a client device could, in theory, launch a
request using the<br>
OIDC Authorization Code flow from that device, where
the user could<br>
provide the client creds for login, and if the az-svr
accepted that for<br>
login then the identity and access tokens would have
the device<br>
id as the subject, I think.<br>
<br>
Thanks,<br>
Rich<br>
<br>
<br>
On 10/2/2017 11:46 AM, George Fletcher via
Openid-specs-ab wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
I'm just curious if anyone else has looked at trying
to leverage the OIDC redirect flow but instead of
doing end-user authentication... authenticating the
device. I have a use case where one property needs
to redirect the device to the OP and get back a code
to exchange for tokens. The "subject" of the token
is the device identifier not the end-user.<br>
<br>
I realize that OIDC was not really designed for
this, but it does have a lot of the protections
needed for redirect based protocols:)<br>
<br>
Thanks,<br>
George<br>
______________________________<wbr>_________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net"
target="_blank" moz-do-not-send="true">Openid-specs-ab@lists.openid.n<wbr>et</a><br>
<a
href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=nNxUKneeZofWTyt9qclOUTeEg29NkEkknFyDupoNiiA&m=LgekHGfZDUzU6dr1ZRnSu0aa0liugt0dIscH-h0G4dA&s=O5ro-n7tpA2ELCf1k_v4zw3i40SUE-OBmxvH_CbBbJk&e="
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://urldefense.proofpoint.<wbr>com/v2/url?u=http-3A__lists.op<wbr>enid.net_mailman_listinfo_open<wbr>id-2Dspecs-2Dab&d=DwICAg&c=RoP<wbr>1YumCXCgaWHvlZYR8PQcxBKCX5YTpk<wbr>KY057SbK10&r=nNxUKneeZofWTyt9q<wbr>clOUTeEg29NkEkknFyDupoNiiA&m=L<wbr>gekHGfZDUzU6dr1ZRnSu0aa0liugt0<wbr>dIscH-h0G4dA&s=O5ro-n7tpA2ELCf<wbr>1k_v4zw3i40SUE-OBmxvH_CbBbJk&<wbr>e=</a>
<br>
</blockquote>
<br>
<br>
<br>
</blockquote>
<br>
______________________________<wbr>_________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net"
target="_blank" moz-do-not-send="true">Openid-specs-ab@lists.openid.n<wbr>et</a><br>
<a
href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=nNxUKneeZofWTyt9qclOUTeEg29NkEkknFyDupoNiiA&m=Xwi3O3eZcSOK5P6hT-1k3HZeA2XoGamiQ395_C86bjA&s=8Z0YauP46FVl1yoODHHIOSxJp-ABEqkMrzcmP34MS7s&e="
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://lists.openid.net/mailma<wbr>n/listinfo/openid-specs-ab</a><br>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div
style="line-height:1.5em;padding-top:10px;margin-top:10px;color:rgb(85,85,85);font-family:sans-serif;font-size:small"><span
style="border-width:2px 0px
0px;border-style:solid;border-color:rgb(213,15,37);padding-top:2px;margin-top:2px">Adam
Dawes |</span><span style="border-width:2px 0px
0px;border-style:solid;border-color:rgb(51,105,232);padding-top:2px;margin-top:2px"> Sr.
Product Manager |</span><span style="border-width:2px
0px
0px;border-style:solid;border-color:rgb(0,153,57);padding-top:2px;margin-top:2px"> <a
href="mailto:adawes@google.com" target="_blank"
moz-do-not-send="true">adawes@google.com</a> |</span><span
style="border-width:2px 0px
0px;border-style:solid;border-color:rgb(238,178,17);padding-top:2px;margin-top:2px"> +1
650-214-2410</span></div>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>