Here's a version of this that my colleague wrote up in August for this grant, we're definitely interested in exploring this further. It is also missing the nonce/server challenge part, but it's a start.
https://github.com/jaredhanson/id-oauth-fido2/blob/main/draft.txt Aaron On Fri, Dec 23, 2022 at 1:37 PM David Chadwick < d.w.chadw...@verifiablecredentials.info> wrote: > Yes, I already proposed this to the OpenID4VCs working group. You can see > my proposal here > > > https://bitbucket.org/openid/connect/issues/1542/support-for-fido-authentication > > This proposes two new authorization grant types of "FIDO Registration" and > "FIDO Authentication". > > Kind regards > > David > On 23/12/2022 00:40, Malla Simhachalam wrote: > > Hello All, > > Hope you are all doing great. We have been thinking of creating a > proposal for a new OAuth2 authorization grant based on the FIDO > credentials, please let us know your thoughts so that we can put together a > draft proposal. > > /****** > > Abstract: FIDO Profile for OAuth2.0 Authorization Grants > > Fast Identity Online (FIDO) and WebAuthn are open standards that define > strong cryptographic credentials that are alternatives to passwords for > accessing websites and apps with secure and faster login experiences for > users. FIDO and WebAuthn protocols have been developed through FIDO > Alliance and W3C standard bodies. The OAuth 2.0 Authorization Framework [ > RFC6749 <https://www.rfc-editor.org/rfc/rfc6749>] provides a method for > making authenticated HTTP requests to a resource using an access token. > Access tokens are issued to third-party clients by an authorization server > (AS) with the (sometimes implicit) approval of the resource owner. In > OAuth, an authorization grant is an abstract term used to describe > intermediate credentials that represent the resource owner authorization. > An authorization grant is used by the client to obtain an access token. > Several authorization grant types are defined to support a wide range of > client types and user experiences. OAuth also allows for the definition of > new extension grant types to support additional clients or to provide a > bridge between OAuth and other trust frameworks. > > This proposal defines a new authorization grant and how FIDO credentials > can be used to obtain an access token. FIDO credentials are resource owners > credentials directly as an authorization grant to obtain an access token. > The credentials should only be used when there is a high degree of trust > between the resource owner and the client. Even though this grant type > requires direct client access to the resource owner credentials, the > resource owner credentials are used for a single request and are exchanged > for an access token. > > > Token endpoint sample: > > POST v1/oauth2/token HTTP/1.1 > > Host: authz.example.net > > Content-Type: application/x-www-form-urlencoded > > grant_type=urn:ietf:params:oauth:grant-type:webauthn-assertion > > &webauthn_assertion=<authenticator_assertion_response> > > : > > HTTP/1.1 200 OK > > Content-Type:application/json > > { > > “access_token” : “A23.xjHEJEH830JLD”, > > “expires_in” : 900 > > } > ***/ > > Thanks, > Malla > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
