Ok, let me try. At the company where I work, we have an app that is used by our users. We want to have a way to authenticate the requests from the application, without requiring the user to perform any interactive login flow. I described it more in-depth in the blog post - https://blog.solutotlv.com/userless-mobile-authentication/
Does this help? Also, thank you for your time and feedback. I appreciate it! On Fri, Nov 9, 2018 at 1:54 AM Dick Hardt <dick.ha...@gmail.com> wrote: > More detail on the scenario would help. > > On Fri, Nov 9, 2018 at 2:04 AM Omer Levi Hevroni <ome...@gmail.com> wrote: > >> Yes, that is correct. >> I'm sorry the confusion, I think this confusion is built into >> oauth framework itself. >> You understood well the scenario - I have an application running on an >> untrusted device in an untrusted network. I looked for a way to >> authenticate the requests from the device to AS. >> Does it make more sense now? >> >> On Thu, Nov 8, 2018 at 12:42 PM Dick Hardt <dick.ha...@gmail.com> wrote: >> >>> Omar >>> >>> As promised, I have reviewed the ID[1] you posted. I'm confused in the >>> Motivation by the references to authentication, as OAuth is about >>> authorization. >>> >>> Perhaps you can post to the list the use case you are trying to solve >>> for? I can infer aspects, but don't fully understand it. >>> >>> From what I can understand though, there is software running in a >>> trusted device that would like to get an access token, and an OTP is part >>> of how the device is authenticating to the AS. This seems like a 2 legged >>> OAuth flow as there is no user involved directly, and it seems you have a >>> means for the client to authenticate to the AS using an OTP. Am I guessing >>> correctly? >>> >>> /Dick >>> >>> [1] >>> https://datatracker.ietf.org/doc/draft-hevroni-oauth-seamless-flow/?include_text=1 >>> >>> >>>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
