Hi all, I was wondering if anyone considered using OAuth for password resets. Or maybe this is common practice, I don’t know.
My line of thinking is that a password is "just-another-resource" that is stored at a resource server. So the resource server requires an access token for anyone/any client that wants to update/change the password. The authorisation server that issues access-tokens somehow needs to authenticate the client that wants an access token for changing a certain password. Authentication is half in-scope and half out-of-scope of OAuth specifications. In the Authorisation Code grant (AC), it is left out-of-scope how the AS authenticates the RO, but it does state it should happen through the user-agent during the execution of the grant. In the ResourceOwner password credential (ROPC) grant, the username/password is sent to the AS as part of the authorisation request / redirect. For a password reset scenario, I would say we need a new grant which would be inbetween AC-grant and ROPC-grant: - it starts with a redirect to the AS including a “password reset token” - somewhat similar to the ROPC-grant: the password reset-token can be viewed as combination of username and a (one-time) password. This is basically clicking on a password reset link - subsequently the AS could perform additional authentication steps (e.g. 2FA-SMS) - similar to what is possible with the AC-grant - when AS thinks the user is sufficiently authenticated, the AS could issue the authorisation code and things would proceed as with the AC-grant Obviously this is preceeded by a request for a password-reset link, which gets sent to the legitimate resource owner Out-Of-Bound via email, SMS, or whatsoever. Am I making things too complicated here? Or would this be the proper way to do it? I’m trying to hook-up to the most secure OAuth mechanisms. Any thoughts? Jaap Francke _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
