Re: [OAUTH-WG] Direct Grant missing in draft-parecki-oauth-v2-1
Francis Pouatcha <fpo@adorsys.de> Wed, 08 April 2020 22:25 UTC
Return-Path: <fpo@adorsys.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9433D3A0820 for <oauth@ietfa.amsl.com>; Wed, 8 Apr 2020 15:25:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adorsys.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JbTAtqfl2OaY for <oauth@ietfa.amsl.com>; Wed, 8 Apr 2020 15:25:50 -0700 (PDT)
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC9A83A082B for <oauth@ietf.org>; Wed, 8 Apr 2020 15:25:49 -0700 (PDT)
Received: by mail-lf1-x130.google.com with SMTP id l11so6400898lfc.5 for <oauth@ietf.org>; Wed, 08 Apr 2020 15:25:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adorsys.de; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SgRfMqEJn5l/24who1c2GgQZ9Hj6G5dIZltK4Ey1Pq8=; b=XAziJBKDgIpI0Nep7SWoBgjBmMf5AGp8jufIyfI0/ScTkbrUtsGj0C+26EvmW0iVFx O7kfuB5PgIbh8juJAA+J84tXFnv9NUxxHcU6zYFZ7T6MMnwbcX1xTbqKFdHj0NygQ1hW 6n6z/dYZlc4X+Xhj++Kimk+8n0pDIxuInGE0s=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SgRfMqEJn5l/24who1c2GgQZ9Hj6G5dIZltK4Ey1Pq8=; b=pywDvy8QFwkqQjIOmi0i6JwITJzk9yWqPxJrF734pdplFugtlSKtKBvrW7bIIIye5m MO6YcMchtS32XDOmHBGc8VSc5v1nt23BwRHWzop9SCse1lJz6nmLVXwIPmBC92OTRUcp C1A0CjiE4ZitAyKqBlaaRLDgXzFqehAxFYDbf4LM4WfcCw4uHpA/AKZY6krP4ga+YvCL WBO7pOdT0SfSRYWpZS4pyjRfb9JSZ3Z51Q02eSVaeWIDHWsM2/uQS0dqX3xX513mDc+b e/iTtixnAFzqn2JfQWEiocI7hT4PHXunsTpHaKa+FjSCpGf2SyGA2GFFiiBDPZavxZEI IuYg==
X-Gm-Message-State: AGi0PubstYBwVyu2AV1CrHY98xPrs52He/Bk4qJb3kFvOZ3FBMKGkyFA ttZE0/IjHpZDHMB+kgi83qukRxP6Xg/UQTs/HNsWXigOM+YnyA==
X-Google-Smtp-Source: APiQypJO1BixN7D+Pl3nkq5YgIHY+Z1pTy7NXUUZz6iaffu4nncgg1ATWYsJ/xE186lh1MNEjkgt2kkBHWpB3npsiLs=
X-Received: by 2002:a19:6b03:: with SMTP id d3mr1099720lfa.209.1586384747587; Wed, 08 Apr 2020 15:25:47 -0700 (PDT)
MIME-Version: 1.0
References: <CAOW4vyPN7iCt9FdGDhzFWsPB=PVcRaLqgTHtAFA07D-E6SuzzQ@mail.gmail.com> <CAGBSGjo0F61grJmk1qotA8fQs1=H1KaqVYKWbEYTeveCJwK4kw@mail.gmail.com>
In-Reply-To: <CAGBSGjo0F61grJmk1qotA8fQs1=H1KaqVYKWbEYTeveCJwK4kw@mail.gmail.com>
From: Francis Pouatcha <fpo@adorsys.de>
Date: Wed, 08 Apr 2020 18:25:36 -0400
Message-ID: <CAOW4vyPpT_Wq_qfDU9RhKVW1JeKyK3daF2QR1UmPKnsbMx3_dQ@mail.gmail.com>
To: Aaron Parecki <aaron@parecki.com>
Cc: OAuth WG <oauth@ietf.org>, draft-parecki-oauth-v2-1@ietf.org
Content-Type: multipart/alternative; boundary="0000000000005bcc7705a2cefbfb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/8IuRAv5ca-bxRzgyd2x9J64ZM2c>
Subject: Re: [OAUTH-WG] Direct Grant missing in draft-parecki-oauth-v2-1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Apr 2020 22:25:53 -0000
Hello Aaron, Deprecating Resource Owner Password Credentials Flow (Direct Grant) without replacement might make a strict oAuth 2.1 server (with no backward compatibility to oAuth2.0) unusable for a good part of "First Party" applications on the market. These are application environments where the operator of the AS is the same one deploying the mobile App using Direct Grant. Not sure it is a good idea to limit scope oAuth 2.1 on existing functionality of oAuth 2.0 unless we are planning an oAuth 3.0 soon. -- Francis Pouatcha Co-Founder and Technical Lead at adorys https://adorsys-platform.de/solutions/ On Wed, Apr 8, 2020 at 6:03 PM Aaron Parecki <aaron@parecki.com> wrote: > Hi Francis, > > The Resource Owner Password Credentials grant is being deprecated in the > OAuth 2.0 Security BCP: > > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.4 > > > The resource owner password credentials grant MUST NOT be used. > > As this OAuth 2.1 draft is meant to consolidate the best practices across > the existing OAuth 2.0 documents, and is explicitly not intended to define > any new behavior that is not already in an adopted document, we can't > accept your suggestion of adding a new OTP-based grant in this document. > > ---- > Aaron Parecki > aaronparecki.com > @aaronpk <http://twitter.com/aaronpk> > > > > On Wed, Apr 8, 2020 at 2:59 PM Francis Pouatcha <fpo@adorsys.de> wrote: > >> As a replacement of RFC 6749 I am missing a "Direct Grant" with the same >> simplicity as the "Resource Owner Password Credentials" grant of RFC >> 6749. >> >> The reason is that browser redirects are too complex and most of the time >> badly implemented by small teams. For the sake of having SMEs use oAuth 2.1 >> with their limited development capacities, I suggest keeping the simple "Resource >> Owner Password Credentials" with an OTP replacing the permanent >> password. >> >> We also have sample implementations working on the market with OTP based >> "Resource Owner Password Credentials" with full compatibility to RFC >> 6749. >> >> -- >> Francis Pouatcha >> Co-Founder and Technical Lead at adorys >> https://adorsys-platform.de/solutions/ >> >
- [OAUTH-WG] Direct Grant missing in draft-parecki-… Francis Pouatcha
- Re: [OAUTH-WG] Direct Grant missing in draft-pare… Aaron Parecki
- Re: [OAUTH-WG] Direct Grant missing in draft-pare… Francis Pouatcha
- Re: [OAUTH-WG] Direct Grant missing in draft-pare… Dick Hardt
- Re: [OAUTH-WG] Direct Grant missing in draft-pare… Daniel Fett
- Re: [OAUTH-WG] Direct Grant missing in draft-pare… Rob Otto
- Re: [OAUTH-WG] Direct Grant missing in draft-pare… Daniel Fett
- Re: [OAUTH-WG] Direct Grant missing in draft-pare… Justin Richer
- Re: [OAUTH-WG] Direct Grant missing in draft-pare… Francis Pouatcha