[keycloak-dev] Implementation of OAuth 2.0 Device Authorization Grant

Tue Mar 19 09:27:28 EDT 2019

Thank you for your comment.

I understand, I'll write the design proposal!

> I haven't had a deep dive into OpenID Connect Client initiated Backchannel
> Authentication Flow  yet, but it raises a question if we should support
> both, or just one of these specifications as they seem to be targetting
> mostly the same use-cases.

I think there are some differences in the use cases applied.
OAuth2 Device Grant is applied for the devices with no browser or limited input capability.
Also the device does not need to know the end-user when starting the authorization flow.

OpenID Connect Client Initiated Backchannel Authentication Flow (CIBA) is for different use-case.
CIBA is that the client is not under the control of the end-user and it can be physically separated from the authentication device.
For example, there is an identity verification case like KYC which a client is running a computer of a person working in a call center,
and an end-user authenticates with own smartphone at hand and federate it to the client when identifying with a phone call.

It is most ideal to support both specifications in Keycloak, but I would like to start the simpler specification OAuth2 Device Grant first.

Best regards,

> On Tue, 19 Mar 2019 at 13:08, Stian Thorgersen <sthorger at redhat.com> wrote:
>
>> In general I would welcome a contribution for this specification. I would
>> suggest starting with a design proposal [1] so we can discuss how it would
>> look like for Keycloak. As we don't have any plans on the immediate roadmap
>> for this a contribution would have to be a complete implementation of the
>> specification, include sufficient level of documentation and testing.
>>
>> [1] https://github.com/keycloak/keycloak-community/tree/master/design
>>
>> On Tue, 19 Mar 2019 at 10:59, Hiroyuki Wada <h2-wada at nri.co.jp> wrote:
>>
>>> Hello,
>>>
>>> I'm interested in implementing OAuth 2.0 Device Authorization Grant [1]
>>> into Keycloak.
>>> I found KEYCLOAK-7675 as the feature request, is there anyone already
>>> working? Also, is the pull request welcome?
>>>
>>> The spec is still draft, but many IdPs such as Goolgle, MS, Facebook,
>>> Salesforce have already implemented it.
>>> I believe supporting the spec will further extend the Keycloak use-case.
>>>
>>> - [1] https://tools.ietf.org/html/draft-ietf-oauth-device-flow-15
>>>
>>> Best regards,
>>>
>>> --
>>> Hiroyuki Wada (@wadahiro)
>>> Nomura Research Institute, Ltd.
>>> h2-wada at nri.co.jp
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>

-- 
Hiroyuki Wada
Nomura Research Institute, Ltd.
h2-wada at nri.co.jp

--------------------------------------------------------------------
このメールには、本来の宛先の方のみに限定された機密情報が含まれている
場合がございます。お心あたりのない場合は、送信者にご連絡のうえ、
このメールを削除してくださいますようお願い申し上げます。
PLEASE READ:This e-mail is confidential and intended for
the named recipient only. If you are not an intended recipient,
please notify the sender and delete this e-mail.
--------------------------------------------------------------------