>
>
> Am 09.04.20 um 09:55 schrieb Rob Otto:
> > I'd imagine you have to pre-register each client and then use HOTP or
> > TOTP to generate one-time passcodes.?
> >
>
> I can come up with a couple of other ways as well, but I'm interested to
> hear what Francis sees "in the wild".
There are many ways of implementing "Direct Grant". We shall distinguish
between approaches which reuse the ROPC-Flow as is, and those which require
an extension of the ROPC-Flow (e.g. with initialization steps which return
challenges).
For a customer project we had it simply done with a TOPT without extension
of the ROPC grant oAuth2.0. We extended AS to check {username, TOTP}
instead of a permanent password.
-> The login page embedded in the RP user agent displays a form requesting
{username, TOTP}
-> For registration and OTP setup we display a link to the AS (no redirect).
-> Main purpose was mitigating hazard associated with user agent redirect.
-> FreeOTP is the reference APP for OTP.
Remember my initial message requested an alternative "DIRECT GRANT" flow
(means WITHOUT REDIRECT).
BTW: I went through Dick's reference
https://mailarchive.ietf.org/arch/msg/oauth/mG6tkmXSOxwakC0184snKCGxfSE/.
We might want to continue there or stay here if the foccuss shifts away of
oAuth2.1.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
