Justin Richer
2017-07-01 00:42:45 UTC
Since the draft is close to final, I wanted to write to the list about a use case in a project that I’m working on that I think is valuable input into the Device Flow discussion.
This use case exercises the device flow OAuth extension grant in an interesting way. The usual line of thinking for using this flow is that there’s a disadvantaged device, like a set-top box, that the user needs to grant access to using a separate personal computer. In this use case, there are still two devices but it’s the permissions that vary between them, not the platform capabilities. The device ultimately getting the access token is the user’s personal mobile device (a phone or tablet), but they’re unable to log in and authorize the device directly on the device itself. Instead, the user needs to bring their device to an authorized kiosk staffed by a trained entity who has the authority to onboard the device to the user’s account. Good news is that so far we’ve been able to build this out using the device flow with no modifications to the protocol, but since our use is different we thought it would be good for the community to see its details.
The flow starts with the user on their device, we’ll use a smartphone in our example. The user provides an identifier to their account, and the device starts the device flow to the server including this identifier as an additional parameter. The AS generates a device and user code pair and ties that to the account indicated by the identifier. Later, the user brings their device in to the staffed kiosk, where the authorized staff verifies the user (using a physical ID card) and the device (using the user code) against the “pending” requests for that user’s account. The staff person makes sure that the user who’s present is the same as the user in the pending request and approves the connection. At the AS this sets a flag on the device code and binds it strongly to that user’s account. Note that it’s the staff person who’s logged in, but the binding is to the proofed user’s account. This decision is written to an audit log (a good potential application for the SecEvents group, since it’s an event with multiple parties that needs to be verifiable). Later, the user gets their device online again and it trades the device code for the access token, and now it can call the APIs as needed.
The time gaps in this use case are much larger than is typical with the device flow. When setting up a set-top box, it would be expected that everything gets set up within a few minutes. However, the requirement for the user to potentially travel to a trusted kiosk means that our device codes last for up to a week. And once the device is approved by the authorized staff person at the kiosk, the user has *another* week to get their device back online to trade the device code in for an access token. If either of those windows are missed, they have to start the whole process over again.
Apart from the account identifier in the initial request for the device code (which we read as being allowed), there are no changes to the device code flow protocol. The account identifier is more for increasing the usability of the entire system, as it allows a user’s pending devices to be verified more quickly at the kiosk. Also, in this particular deployment, it’s used along with dynamic registration and private_key_jwt authentication for the clients, which allows for greater security for the overall protocol and greater separation of client instances from each other.
We’re interested to hear people’s feedback on our use of the device flow, and curious if anyone else is using it in a similar fashion. Even though it’s different, it still fits the spirit of “two devices with different capabilities” present in the draft.
— Justin
This use case exercises the device flow OAuth extension grant in an interesting way. The usual line of thinking for using this flow is that there’s a disadvantaged device, like a set-top box, that the user needs to grant access to using a separate personal computer. In this use case, there are still two devices but it’s the permissions that vary between them, not the platform capabilities. The device ultimately getting the access token is the user’s personal mobile device (a phone or tablet), but they’re unable to log in and authorize the device directly on the device itself. Instead, the user needs to bring their device to an authorized kiosk staffed by a trained entity who has the authority to onboard the device to the user’s account. Good news is that so far we’ve been able to build this out using the device flow with no modifications to the protocol, but since our use is different we thought it would be good for the community to see its details.
The flow starts with the user on their device, we’ll use a smartphone in our example. The user provides an identifier to their account, and the device starts the device flow to the server including this identifier as an additional parameter. The AS generates a device and user code pair and ties that to the account indicated by the identifier. Later, the user brings their device in to the staffed kiosk, where the authorized staff verifies the user (using a physical ID card) and the device (using the user code) against the “pending” requests for that user’s account. The staff person makes sure that the user who’s present is the same as the user in the pending request and approves the connection. At the AS this sets a flag on the device code and binds it strongly to that user’s account. Note that it’s the staff person who’s logged in, but the binding is to the proofed user’s account. This decision is written to an audit log (a good potential application for the SecEvents group, since it’s an event with multiple parties that needs to be verifiable). Later, the user gets their device online again and it trades the device code for the access token, and now it can call the APIs as needed.
The time gaps in this use case are much larger than is typical with the device flow. When setting up a set-top box, it would be expected that everything gets set up within a few minutes. However, the requirement for the user to potentially travel to a trusted kiosk means that our device codes last for up to a week. And once the device is approved by the authorized staff person at the kiosk, the user has *another* week to get their device back online to trade the device code in for an access token. If either of those windows are missed, they have to start the whole process over again.
Apart from the account identifier in the initial request for the device code (which we read as being allowed), there are no changes to the device code flow protocol. The account identifier is more for increasing the usability of the entire system, as it allows a user’s pending devices to be verified more quickly at the kiosk. Also, in this particular deployment, it’s used along with dynamic registration and private_key_jwt authentication for the clients, which allows for greater security for the overall protocol and greater separation of client instances from each other.
We’re interested to hear people’s feedback on our use of the device flow, and curious if anyone else is using it in a similar fashion. Even though it’s different, it still fits the spirit of “two devices with different capabilities” present in the draft.
— Justin