I am trying to add OTP / 2FA support to OAuth2, but after reading RFC6749 it is still not clear how to carefully add OTP / 2FA without violating the specifications.
Although an OTP / 2FA record can be added to the conversation stream authorize, there are no conditions for adding it to token. For example, publicclient applications with privileges on Resource owner password-basedmay not want to provide a token directly when they request a new one access_token, rather than embed an HTML dialog box.
Therefore my questions are these;
grant_typeIs RFC Custom grant_type? Should this be used to provide 2FA / OTP functionality?
grant_typeDoes RFC have additional attributes for an existing one grant_type? For example, grant_type=token&otp_code=1234(the RFC does not make it clear whether additional attributes are allowed grant_typein the specification)
Should OTP functions be placed in headers? This is the approach that Github has used , but it seems really ugly / hacky.
Are there any other approaches that I have missed?
thank you in advance
source
share