<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi Mike</p>
<p>you are not the first person to suggest this. Many months ago I
suggested this to the OpenID4VCs working group, but there was zero
interest from the participants.</p>
<p>FYI, we implemented FIDO as the way for our users to connect
their smart phone VC wallets to a VC issuer, prior to OpenID4VCI
being standardised. So it seemed natural to us to add FIDO as a
method for authentication within the Oauth framework. But there
was no interest from anyone else at the time.</p>
<p>The details of my proposed method should still be available in
the issues list of OpenID4VCs.</p>
<p>Kind regards</p>
<p>David<br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 14/07/2023 15:18, Michael Schwartz
via Openid-specs-ab wrote:<br>
</div>
<blockquote type="cite"
cite="mid:18312a1079deb3db61861061855c075a@gluu.org">
<br>
Aaron,
<br>
<br>
Thanks for responding! I know it's summer and everyone is
relaxing, with little time to ponder FIDO / OpenID integration.
<br>
<br>
I thought about posting this idea to the OAuth mailing list. But
in the end, it's really about person authentication--the end
result is the issuance of a new id_token. And `display=fido`
relates to the end user authn experience. So net-net, it seems
more like an OpenID recipe.
<br>
<br>
I'm sort of surprised that I'm the first person suggesting this...
it seems so obvious. I thought the EAP work group (not sure of the
status) was figuring out how to get FIDO and OpenID to work
together.
<br>
<br>
- Mike
<br>
<br>
<br>
On 2023-07-13 17:27, Aaron Parecki wrote:
<br>
<blockquote type="cite">Hi Mike,
<br>
<br>
Will you be at the next IETF meeting in San Francisco? I'm going
to be
<br>
presenting some work there that has some similar overlap to this
and
<br>
would love to chat about this more to see if we can combine
forces on
<br>
it.
<br>
<br>
Aaron
<br>
<br>
On Thu, Jul 13, 2023 at 12:59 PM Michael Schwartz via
<br>
Openid-specs-ab <a class="moz-txt-link-rfc2396E" href="mailto:openid-specs-ab@lists.openid.net"><openid-specs-ab@lists.openid.net></a> wrote:
<br>
<br>
<blockquote type="cite">OpenIDenterati,
<br>
<br>
I'm working on a design for first party mobile app
authentication.
<br>
I'd
<br>
like to use FIDO, but only backchannel authentication. The
idea is
<br>
to
<br>
use the standard FIDO sdk in iOS and Android. FIDO authn by
itself
<br>
is
<br>
not enough--we also need access tokens to call a backend API.
<br>
<br>
Does anyone think it's feasible to create a "fido2" OAuth
grant
<br>
type? My
<br>
thought is that the client would send an id_token with the
OAuth
<br>
token
<br>
request, and if the AS doesn't like it, it would return:
<br>
<br>
401/Unauthorized
<br>
WWW-Authenticate: fido
<br>
<br>
The client then would then FIDO2 authenticate the person,
using a
<br>
string
<br>
value from the FIDO authn response as a reference token to
obtain a
<br>
new
<br>
id_token at the authorize endpoint, using the authn request
param
<br>
display=fido2.
<br>
<br>
Is this a crazy idea?
<br>
<br>
thx,
<br>
<br>
Mike
<br>
<br>
PS: If you want to see an overview of the entire flow, see
this wiki
<br>
<br>
page:
<br>
<a class="moz-txt-link-freetext" href="https://github.com/JanssenProject/jans/wiki/Mobile-DPoP-FIDO-Authn">https://github.com/JanssenProject/jans/wiki/Mobile-DPoP-FIDO-Authn</a>
<br>
<br>
--------------------------------------
<br>
Michael Schwartz
<br>
Gluu
<br>
Founder / CEO
<br>
<a class="moz-txt-link-abbreviated" href="mailto:mike@gluu.org">mike@gluu.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://www.linkedin.com/in/nynymike/">https://www.linkedin.com/in/nynymike/</a>
<br>
<br>
----
<br>
IMPORTANT: The contents of this email and any attachments are
<br>
confidential. They are intended for the named recipient(s)
only. If
<br>
you have received this email by mistake, please notify the
sender
<br>
immediately and do not disclose the contents to anyone or make
<br>
copies thereof. All views and opinions expressed in this email
<br>
message are the personal opinions of the author and do not
represent
<br>
those of the GLUU Inc. No liability can be held for any
damages,
<br>
however, caused, to any recipients of this message. No
employee or
<br>
agent is authorized to conclude any binding agreement on
behalf of
<br>
the company with another party by email without specific
<br>
confirmation.
<br>
<br>
600 Congress Ave., 14th Floor, Austin TX 78701
<br>
<br>
GLUU Privacy Policy(<a class="moz-txt-link-freetext" href="https://gluu.org/gluu-privacy-policy/">https://gluu.org/gluu-privacy-policy/</a>)
<br>
<br>
To unsubscribe please forward this email to
<a class="moz-txt-link-abbreviated" href="mailto:unsubscribe@gluu.org">unsubscribe@gluu.org</a>
<br>
_______________________________________________
<br>
Openid-specs-ab mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.openid.net/mailman/listinfo/openid-specs-ab">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
<br>
</blockquote>
</blockquote>
<br>
----
<br>
IMPORTANT: The contents of this email and any attachments are
confidential. They are intended for the named recipient(s) only.
If you have received this email by mistake, please notify the
sender immediately and do not disclose the contents to anyone or
make copies thereof. All views and opinions expressed in this
email message are the personal opinions of the author and do not
represent those of the GLUU Inc. No liability can be held for any
damages, however, caused, to any recipients of this message. No
employee or agent is authorized to conclude any binding agreement
on behalf of the company with another party by email without
specific confirmation.
<br>
<br>
600 Congress Ave., 14th Floor, Austin TX 78701
<br>
<br>
GLUU Privacy Policy(<a class="moz-txt-link-freetext" href="https://gluu.org/gluu-privacy-policy/">https://gluu.org/gluu-privacy-policy/</a>) <br>
To unsubscribe please forward this email to <a class="moz-txt-link-abbreviated" href="mailto:unsubscribe@gluu.org">unsubscribe@gluu.org</a>
<br>
_______________________________________________
<br>
Openid-specs-ab mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.openid.net/mailman/listinfo/openid-specs-ab">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
<br>
</blockquote>
<pre class="moz-signature" cols="72">--
IMPORTANT NOTICE
The email addresses ..@verifiablecredentials.info will shortly stop working.
Can you please use
<a class="moz-txt-link-abbreviated" href="mailto:d.w.chadwick@truetrust.co.uk">d.w.chadwick@truetrust.co.uk</a>
from now on</pre>
</body>
</html>