Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping password grant
Dick Hardt <dick.hardt@gmail.com> Tue, 18 February 2020 20:57 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BB76120819 for <oauth@ietfa.amsl.com>; Tue, 18 Feb 2020 12:57:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ul3afYpXoULH for <oauth@ietfa.amsl.com>; Tue, 18 Feb 2020 12:57:48 -0800 (PST)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7BF7120145 for <oauth@ietf.org>; Tue, 18 Feb 2020 12:57:47 -0800 (PST)
Received: by mail-lf1-x12d.google.com with SMTP id z5so510443lfd.12 for <oauth@ietf.org>; Tue, 18 Feb 2020 12:57:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nht3Qo4XwmthlaCkbTJwIEfcf4Kt+tzpryMh2DlSkJo=; b=QY2qAeAQsyUhf3Vvq2okK6ycDm1kOFZfDL9RSCtP+VipHymmTVkOePK9wO1cB8Y/ub tUr3nJI2M8ONa/t+XdhSMY4dIek+p6y7K8BMdzImCHykVwLQJ09fI2C/69QlKrWYcj+v FMBt2hKXfqZf3qDBBC89AnM5DVqX2V9RzTdUliwGjqmgltbw/z3rS0nGRjG6N5IOEyoa C4SI1ZZsg9kuXLzbEOiB5oLKfbnHwkcUbrLlaSC9BbpbbVQdxf6eqgum7SQR9aug8EtO nxIzXtyqhV/RZ5vLUz8oK3De8ex3GqAXQWVJ8+psqUi/fVx2Um4QfvccZwr+rfK45DqT 6rIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nht3Qo4XwmthlaCkbTJwIEfcf4Kt+tzpryMh2DlSkJo=; b=hYXYzI+t108H/kSMvrtUPRW1gnocupyf0LLVbP6NeCwtUm4/xVMu+dusINmElvc+Ir 6VeMdPGVsSSMLaX7rR/KChUHpi80ChneuaU6YXijZ8ZJ5QrJFpiEo9z5xJLGwUmJxuSs nKcHfsVtpJpxjogmISHv9I5HMc/5uxDsOW1F2vMb7VoDYRilJ/K4HSQAdiUIO/IawNeH kIpsJullrP3wNMthPj9tT/Gxi5zl22umvFAOYeQgVSOb1tEvC9xQbVNK6rvk1g9asS8V aIYkrB6weoows5ZrIMNZgwGOCWdNOvguK6UF8OvlF/nQRoUrCDgUJtohApsfViTELU1H gVLQ==
X-Gm-Message-State: APjAAAXVR0oO9YlUfijgCmPqqkWMlmkq9sPE7pZdez10NzGtOVRatomm 5nPMoi7th60hbjZPbuDT9P7tlcsScqH/bSIp1rWEUpOO
X-Google-Smtp-Source: APXvYqwacEq4I7K9LaeqWjQQ6rttybo0EhByjKe1Pwcdm04hdPWYfmoeK5ri3wgbB6q9XAn6lixXbLtDtszcjw7K3NU=
X-Received: by 2002:ac2:5f65:: with SMTP id c5mr9907874lfc.207.1582059465969; Tue, 18 Feb 2020 12:57:45 -0800 (PST)
MIME-Version: 1.0
References: <CAD9ie-u_f1fCsTrRtXnk5YHrRHW71EyYiO6xqh9-a=vKTcXp+w@mail.gmail.com> <DM6PR00MB0634A176941D1078F3C655EEA6110@DM6PR00MB0634.namprd00.prod.outlook.com>
In-Reply-To: <DM6PR00MB0634A176941D1078F3C655EEA6110@DM6PR00MB0634.namprd00.prod.outlook.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Tue, 18 Feb 2020 12:57:19 -0800
Message-ID: <CAD9ie-uk33y-5-JiKc6XA_6juGg8Hagp11VW4hwQVepKDFZioA@mail.gmail.com>
To: Anthony Nadalin <tonynad@microsoft.com>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007b94de059edfec26"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Q9Gj36KAaWfAK6uHXCgeCGu5N_A>
Subject: Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping password grant
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Feb 2020 20:57:50 -0000
The security topics says MUST. If you want to change that, then that is a different discussion. :) In the OAuth 2.1 document, it would just not be included. Applications can continue to be OAuth 2.0 compliant. BUT ... if there are valid, new use cases. Please describe them! Perhaps it should not be dropped. On Tue, Feb 18, 2020 at 12:54 PM Anthony Nadalin <tonynad@microsoft.com> wrote: > I would suggest a SHOULD NOT instead of MUST, there are still sites using > this and a grace period should be provided before a MUST is pushed out as > there are valid use cases out there still. > > > > *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of * Dick Hardt > *Sent:* Tuesday, February 18, 2020 12:37 PM > *To:* oauth@ietf.org > *Subject:* [EXTERNAL] [OAUTH-WG] OAuth 2.1: dropping password grant > > > > Hey List > > > > (Once again using the OAuth 2.1 name as a placeholder for the doc that > Aaron, Torsten, and I are working on) > > > > In the security topics doc > > > > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-14#section-2.4 > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-security-topics-14%23section-2.4&data=02%7C01%7Ctonynad%40microsoft.com%7C47bb597eef584c95ba4108d7b4b274b2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637176550905333283&sdata=nA1S7TBfZg6cSwY2hI8hpRXhIA2joaaJFmNXrATgr2Y%3D&reserved=0> > > > > The password grant MUST not be used. > > > > Some background for those interested. I added this grant into OAuth 2.0 to > allow applications that had been provided password to migrate. Even with > the caveats in OAuth 2.0, implementors decide they want to prompt the user > to enter their credentials, the anti-pattern OAuth was created to > eliminate. > > > > > > Does anyone have concerns with dropping the password grant from the OAuth > 2.1 document so that developers don't use it? > > > > /Dick >
- [OAUTH-WG] OAuth 2.1: dropping password grant Dick Hardt
- Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping pas… Anthony Nadalin
- Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping pas… Dick Hardt
- Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping pas… Justin Richer
- Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping pas… Phillip Hunt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Aaron Parecki
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Hans Zandbelt
- Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping pas… Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Brock Allen
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Richard Backman, Annabelle
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Matthew De Haast
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Levi Schuck
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Richard Backman, Annabelle
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Justin Richer
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Richard Backman, Annabelle
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Phillip Hunt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Brian Campbell
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant William Denniss
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant William Denniss
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Aaron Parecki
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant lanerashaad80@gmail.com
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Nat Sakimura
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Dominick Baier
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Phillip Hunt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Justin Richer