Yes, that is correct. I'm sorry the confusion, I think this confusion is built into oauth framework itself. You understood well the scenario - I have an application running on an untrusted device in an untrusted network. I looked for a way to authenticate the requests from the device to AS. Does it make more sense now?
On Thu, Nov 8, 2018 at 12:42 PM Dick Hardt <dick.ha...@gmail.com> wrote: > Omar > > As promised, I have reviewed the ID[1] you posted. I'm confused in the > Motivation by the references to authentication, as OAuth is about > authorization. > > Perhaps you can post to the list the use case you are trying to solve for? > I can infer aspects, but don't fully understand it. > > From what I can understand though, there is software running in a trusted > device that would like to get an access token, and an OTP is part of how > the device is authenticating to the AS. This seems like a 2 legged OAuth > flow as there is no user involved directly, and it seems you have a means > for the client to authenticate to the AS using an OTP. Am I guessing > correctly? > > /Dick > > [1] > https://datatracker.ietf.org/doc/draft-hevroni-oauth-seamless-flow/?include_text=1 > > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
