OAuth Challenge Grant?

From IIW

Session Topic: OAuth2 challenge/response grant

Wednesday 3C

Convener: Samuel E.

Notes-taker: Erik Wahlström

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

  • How to integrate physical access systems into digital access systems.
  • OAuth2 in IoT scenarios where policies and deceptions is taken on the AS.
  • Sometimes the AS requires different attributes for a specific client to be able to issue a token.
  • Example: A IoT enabled door takes a JWT to open up the door. Sometimes the user waives an NFC/RFID based card in front of a card reader to authenticate, but sometimes the user also have to enter a PIN code to be able to open up the door. The policy for the door is changed centrally in the AS.
  • The question is: Can this be defined in a new grant type that uses a challenge/response mechanism or is this outside of the spec and it’s just authentication to in a code grant flow.
  • It depends on architecture. Is card the client, or is the reader the client?
  • What happens when things are offline? Some work have been done by neXus with a JWT that includes an ACL.

Discussions flows out in to a general security in IoT discussion.