Re: [OAUTH-WG] Direct Grant missing in draft-parecki-oauth-v2-1
Dick Hardt <dick.hardt@gmail.com> Thu, 09 April 2020 00:10 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FB9E3A1A52; Wed, 8 Apr 2020 17:10:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0sPJtYzulw9f; Wed, 8 Apr 2020 17:10:13 -0700 (PDT)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8791E3A1A51; Wed, 8 Apr 2020 17:10:13 -0700 (PDT)
Received: by mail-lj1-x22f.google.com with SMTP id q19so9564381ljp.9; Wed, 08 Apr 2020 17:10:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pdCtZjeGozxgD/RMz8HUra5uHHgAuXg1pPkeEbjWq6g=; b=hOFRJCV/bM+lOn8qF8ism4ZMt32BdKsxJU+MqWoH91g0dQwcOKKBVxyamUYrI47see WuNCF8GCjK7TRHNLNGr3ixF2DHJf3UobzMj0Ju6VVxIPnZi46Je+/4F/ROkOj2KmgVHP RJjwzec1PrKa1xg3VHfS3nkstWY3p87aA5xoT8vVEEF5pvJhTsB9J8ppZ08CziY0vUpL 8xfOASxHGsGme0PhYAoGv8riStlBM0ywN1pp66k8WVkH4+0lyjLKqLEOAQm8an8suoxT CEK69nfonVfn29mAlQ04TtSOaLb4cAx1XOqS/x3+nyh4l+gDHck4i4CxMNOH7GBsw9p8 JwCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pdCtZjeGozxgD/RMz8HUra5uHHgAuXg1pPkeEbjWq6g=; b=ViVxe/2MPHl16o6gBtb++YdHyBwxjODJuybSHjK7o03gkOU9OFi9MeyuL0FiUfWW/s udpRMmhLWvy5NrnUONXkqGY7DEAO/ewMdjw64s2zbk/16tM1bRh/Y+XHnikcjljWcrMk W3c7ljYRdBVpYTV+6sbcUOOzaI+wYmzgsMaUfHoEwc4sMAMPqmdZdutGpxudFX+MqLm2 kNOaSlOO/Fu7nQVjlwCQVL0ev6kH3wIXObn1cf0Vvelw3bsl8CDaVWzNQjffTN6SKbc8 CxLFTyaFplyYKwsa2/wmZcvtY0vRTueckHo+BhtUnObNqwx3msKZYuXO5oKnP5ZSWz11 FF5g==
X-Gm-Message-State: AGi0PubBnUP2nwxE9/9OnCIfad24E0v6W/VE1/UovPQy5U+mbjD75LfL 4H8NRufgilVfQrUn5bfeD7DuHPipQ9hqGaGCQt0=
X-Google-Smtp-Source: APiQypLooKL8ZlfQ4TdjGR+xBy6JJJxUVndZWMxaf/RttoZTz4VVcovFWQgjGexDzKK3q2XQbAPCGKooF5JP9TaPGT8=
X-Received: by 2002:a05:651c:20d:: with SMTP id y13mr6801812ljn.112.1586391011651; Wed, 08 Apr 2020 17:10:11 -0700 (PDT)
MIME-Version: 1.0
References: <CAOW4vyPN7iCt9FdGDhzFWsPB=PVcRaLqgTHtAFA07D-E6SuzzQ@mail.gmail.com> <CAGBSGjo0F61grJmk1qotA8fQs1=H1KaqVYKWbEYTeveCJwK4kw@mail.gmail.com> <CAOW4vyPpT_Wq_qfDU9RhKVW1JeKyK3daF2QR1UmPKnsbMx3_dQ@mail.gmail.com>
In-Reply-To: <CAOW4vyPpT_Wq_qfDU9RhKVW1JeKyK3daF2QR1UmPKnsbMx3_dQ@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Wed, 08 Apr 2020 17:09:45 -0700
Message-ID: <CAD9ie-sQnXGirw9oFR+5HduxT-4DwBOH4eSMZ+zowoEmrC1SaA@mail.gmail.com>
To: Francis Pouatcha <fpo@adorsys.de>
Cc: Aaron Parecki <aaron@parecki.com>, OAuth WG <oauth@ietf.org>, draft-parecki-oauth-v2-1@ietf.org
Content-Type: multipart/alternative; boundary="000000000000b9757405a2d0702c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/2aw54ofBIJvba6cetzw-zFyIipM>
Subject: Re: [OAUTH-WG] Direct Grant missing in draft-parecki-oauth-v2-1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Apr 2020 00:10:16 -0000
Francis We had a long discussion on this topic earlier this year: https://mailarchive.ietf.org/arch/msg/oauth/mG6tkmXSOxwakC0184snKCGxfSE/ On Wed, Apr 8, 2020 at 3:25 PM Francis Pouatcha <fpo@adorsys.de> wrote: > Hello Aaron, > > Deprecating Resource Owner Password Credentials Flow (Direct Grant) > without replacement might make a strict oAuth 2.1 server (with no backward > compatibility to oAuth2.0) unusable for a good part of "First Party" > applications on the market. These are application environments where the > operator of the AS is the same one deploying the mobile App using Direct > Grant. > > Not sure it is a good idea to limit scope oAuth 2.1 on existing > functionality of oAuth 2.0 unless we are planning an oAuth 3.0 soon. > -- > Francis Pouatcha > Co-Founder and Technical Lead at adorys > https://adorsys-platform.de/solutions/ > > On Wed, Apr 8, 2020 at 6:03 PM Aaron Parecki <aaron@parecki.com> wrote: > >> Hi Francis, >> >> The Resource Owner Password Credentials grant is being deprecated in the >> OAuth 2.0 Security BCP: >> >> >> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.4 >> >> > The resource owner password credentials grant MUST NOT be used. >> >> As this OAuth 2.1 draft is meant to consolidate the best practices across >> the existing OAuth 2.0 documents, and is explicitly not intended to define >> any new behavior that is not already in an adopted document, we can't >> accept your suggestion of adding a new OTP-based grant in this document. >> >> ---- >> Aaron Parecki >> aaronparecki.com >> @aaronpk <http://twitter.com/aaronpk> >> >> >> >> On Wed, Apr 8, 2020 at 2:59 PM Francis Pouatcha <fpo@adorsys.de> wrote: >> >>> As a replacement of RFC 6749 I am missing a "Direct Grant" with the >>> same simplicity as the "Resource Owner Password Credentials" grant of RFC >>> 6749. >>> >>> The reason is that browser redirects are too complex and most of the >>> time badly implemented by small teams. For the sake of having SMEs use >>> oAuth 2.1 with their limited development capacities, I suggest keeping the >>> simple "Resource Owner Password Credentials" with an OTP replacing the >>> permanent password. >>> >>> We also have sample implementations working on the market with OTP based >>> "Resource Owner Password Credentials" with full compatibility to RFC >>> 6749. >>> >>> -- >>> Francis Pouatcha >>> Co-Founder and Technical Lead at adorys >>> https://adorsys-platform.de/solutions/ >>> >> >
- [OAUTH-WG] Direct Grant missing in draft-parecki-… Francis Pouatcha
- Re: [OAUTH-WG] Direct Grant missing in draft-pare… Aaron Parecki
- Re: [OAUTH-WG] Direct Grant missing in draft-pare… Francis Pouatcha
- Re: [OAUTH-WG] Direct Grant missing in draft-pare… Dick Hardt
- Re: [OAUTH-WG] Direct Grant missing in draft-pare… Daniel Fett
- Re: [OAUTH-WG] Direct Grant missing in draft-pare… Rob Otto
- Re: [OAUTH-WG] Direct Grant missing in draft-pare… Daniel Fett
- Re: [OAUTH-WG] Direct Grant missing in draft-pare… Justin Richer
- Re: [OAUTH-WG] Direct Grant missing in draft-pare… Francis Pouatcha