Uploaded image for project: 'GPII - Global Public Inclusive Infrastructure'
  1. GPII - Global Public Inclusive Infrastructure
  2. GPII-3716

Design new OAuth grant type for use with keyless login



    • Type: New Feature
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:


      Auto key-in on Windows logon without user folder for GPII-3711 requires us to design a new OAuth grant type. This will be requested by the Access requestor component designed for GPII-2436 when requesting the new access token. This will allow for both GPII keys and safes/vaults to be automatically provisioned at the point that the client requests a write. This grant type needs to be kept distinguished from the standard ones that we already support, e.g. for USB keys, RFID tokens, etc. and other kinds of provisioned tokens so that we are not subjected to DoS attacks when presented by unprovisioned keys. The fact that this grant type is permitted will be stored in the GPII App Installation Clients table (currently shown the existing design at https://wiki.gpii.net/w/Keys,_KeyTokens,_and_Preferences ) for the particular client installation that a machine secret/client credential is attached to.

      We need to choose a name for the grant type, be clear what it authorises the user to do, and design an OAuth workflow that employs it to allocate an access token.




            • Assignee:
              amb26 Antranig Basman
              amb26 Antranig Basman
            • Votes:
              0 Vote for this issue
              2 Start watching this issue


              • Created: