OAuth Challenge Grant?
From IIW
Session Topic: OAuth2 challenge/response grant
Wednesday 3C
Convener: Samuel E.
Notes-taker: Erik Wahlström
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
- How to integrate physical access systems into digital access systems.
- OAuth2 in IoT scenarios where policies and deceptions is taken on the AS.
- Sometimes the AS requires different attributes for a specific client to be able to issue a token.
- Example: A IoT enabled door takes a JWT to open up the door. Sometimes the user waives an NFC/RFID based card in front of a card reader to authenticate, but sometimes the user also have to enter a PIN code to be able to open up the door. The policy for the door is changed centrally in the AS.
- The question is: Can this be defined in a new grant type that uses a challenge/response mechanism or is this outside of the spec and it’s just authentication to in a code grant flow.
- It depends on architecture. Is card the client, or is the reader the client?
- What happens when things are offline? Some work have been done by neXus with a JWT that includes an ACL.
Discussions flows out in to a general security in IoT discussion.