Re: [OAUTH-WG] Usage of Password Grant

Evert Pot <me@evertpot.com> Thu, 14 May 2020 05:03 UTC

Return-Path: <me@evertpot.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EC1B3A0B3E for <oauth@ietfa.amsl.com>; Wed, 13 May 2020 22:03:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=evertpot.com header.b=cBROqPH8; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=idznWUao
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j4RQtMPyvM_w for <oauth@ietfa.amsl.com>; Wed, 13 May 2020 22:03:07 -0700 (PDT)
Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 967C23A0B3C for <oauth@ietf.org>; Wed, 13 May 2020 22:03:07 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.west.internal (Postfix) with ESMTP id ACF095C9 for <oauth@ietf.org>; Thu, 14 May 2020 01:03:06 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Thu, 14 May 2020 01:03:06 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=evertpot.com; h= subject:to:references:from:message-id:date:mime-version :in-reply-to:content-type:content-transfer-encoding; s=mesmtp; bh=WKYBgQb7RIteuqYqAXOCw7vzpt6UjU1korfI3LNi75s=; b=cBROqPH8+2aH gqdXSajwYyhn1nsi/WCL6VeiZO+MR9ay9dyJLyq+4yTjv+zKIurStyCpq7CSUngP uIZ9h1brD6UgzGF1NKMA2wQhkJGaY6LGsjFBC5pgS6QUrTDeNbIqWjyaMIfzM2AY 1l1ge3uoMHVVegDOURasK9DHdmVZvhs=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=WKYBgQb7RIteuqYqAXOCw7vzpt6UjU1korfI3LNi7 5s=; b=idznWUaosLY7l5jOsNyGxjVYGO5qVZcfaVpaS8ANaR7gsb4pm8knaEX3j aFSVjM9+LakCyZYrXV7KkGJHrwO36fcVFsPL+zOGmpvWYpvt1khNO7+w+u8hB6KI WhOu0MV2XhMKfie5jtkCfXY+N4cklZs5QxSnPCz7SENz/gYSkxTUNEGNdWUi8zJR YpEfmNPXEpZ7xHH0YGmQ+rqwAowYPuWfYjum/ySeli8SO9BEtNKKvtxrxOZu1064 biEC6bW4ZGuFcLTdXhNoIYGoFhkfZF+vvKSc6HfI+MFNZYHapQTShomCYUDxF1US qdJ2W/m11g01a3QITwZJXwH7HCTsw==
X-ME-Sender: <xms:CtG8XqfrmsTiVZ_RcFZFhGYZEIoI66S1RT4STxuiQ_XvP6vfrt5ROA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrleehgdeklecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepuffvfhfhkffffgggjggtgfesthekre dttdefjeenucfhrhhomhepgfhvvghrthcurfhothcuoehmvgesvghvvghrthhpohhtrdgt ohhmqeenucggtffrrghtthgvrhhnpeejudduheektdduhefgjeetueehtdelgedtffejve ejvddvvdfgtdefjeetvddugfenucfkphepjedtrddvgedriedvrddvtdejnecuvehluhhs thgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepmhgvsegvvhgvrhhtph hothdrtghomh
X-ME-Proxy: <xmx:CtG8XkN8mD0AejQEEKcmSn4EtrA3kywF8BB2LONbQQpGEWIHK8NpoA> <xmx:CtG8XrhytditmO8wfvnJNq_yWjQiPpZdbXF5RBqpOOzGFo1I2_VZEQ> <xmx:CtG8Xn-U1uBFDIhM-TwV9LircRLLFSMZczQsq_IiO7nTpOpyXeLkxA> <xmx:CtG8XjOoWyk_uTz5gRnx0QpsCnMklP41m7AhH_3RqAXd40oGQt0_oA>
Received: from [192.168.2.10] (toroon0954w-lp140-01-70-24-62-207.dsl.bell.ca [70.24.62.207]) by mail.messagingengine.com (Postfix) with ESMTPA id F2C3C3280060 for <oauth@ietf.org>; Thu, 14 May 2020 01:03:05 -0400 (EDT)
To: oauth@ietf.org
References: <CAB=KHVUNv9op+kniNuaUJyPKhWQLSYjOfFb+g=4Tg1n4t08ixw@mail.gmail.com> <CAGBSGjqAJ9X7CU_csBJ-eHQQJKCLa4JuR-eqK=2qFURfdLT36g@mail.gmail.com>
From: Evert Pot <me@evertpot.com>
Autocrypt: addr=me@evertpot.com; keydata= mQINBFzZpTYBEACt3GNTWOSosId2/7G1EHYWfva4gF4kgOL+/pew0+I2wTCyFeDXti+CRE1o 5LoCpTSGHDWZokSELeA2PwNX1ls7c2sZ7AVKWKhBLBhPEVo6YzlTli/B747ryGfMikiWYCRa e/yBJtyRuWuS8ArxCpEROzcUqCGZu7Rqs9RzUfYS7WZ85ne3DeRxPCCBIIlhlRu2lasjByPs IpSI0YSIpq4M5fLqbVdTjfqbTBGw82pDwQwlxO3J0T07dnvpEEheYspkMj/EGXqVTrLuoRw0 D7yObXgr0bcjuf+km8cdfZktclqCg1YajiseBBObw9IQpWiIE0oIxA7mAti1wus3JLxAfqCI tgzBtwEPeg6tcfzeDI9gnSl904g2+ozS0uFI61YHA/j70IxgIwyzp8QDsj0nS83aqaZV8k2U FNCnbriMftMCD/+iudRxfzq4VThkhIgfR9ZsaTvdWGIsAxCZyjaUHFMOBafjCMNjePCg74yA JSwdHhi6mzIuIfVGqsKXmO4Khzgm+c2qVq7cym93yp6kqNXOge9ZjQ2q96HHa64wXoYlNYZU 0fkvjkANj9V7ZC4PnavRMQHeFsW+vqU38pIFSppsqpeBggvV4U2WRHt2NyrE3ta9h1XTs9w3 SWSTujpJ/XGqPm7YYnNPrKXn5uvjEJ+OKt4+trpP1juUc3LJ8wARAQABtBtFdmVydCBQb3Qg PG1lQGV2ZXJ0cG90LmNvbT6JAk4EEwEIADgWIQTLR9Vo8uufCXNz2gLxiYR6BK2dDwUCXNml NgIbIwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRDxiYR6BK2dDyHmD/0bufc/UhM76R8S NSpYAds83HKt3XgIGPl8CEMaz35bkvlNypVUvd0iLy1MFgDDyqdXuM840HWL0grCC+g1LA8K eeHSYBDYm+ATlEu09FCN6+TdDbWBA19vmLlJ98mEgCDrIo/B+pskap4Qxq20vuxssL0nIXyM 1FoPlrTu8SuZrkViUSWmEICSB6UfZntIJDPxv9NSEjLKSkTCwIXna744W4zQQ/tHohohw2qc epCudGv1AhJBJS+UE8W+Lpt3e1fsMZQl/UIFpF3EQ3+6DkIHqk+nVe7zstcGbB/RUkHqwUCb km9Iv2B9YURrDW6XIF2jp+vAVuI78kLjXCTEBd8bzlBjt2BOTVaj4JZcdilKfNNr57H8Go+A IyVqsjjJ0LqkCdmG96lgJLUCcMztiJnTxxzLFSF4rQHKV14G8EQ+xMkx5We3QOWKGFHkf4JF zPCFD8O1978FbPEZ6JjnSR8Goeb5RKpGe3AfjHR7brS6jpxQaC8pGnjVBQzY3bXc1LSKWJ8N LHEOnKN5xBnwWpQv7pygxslnrNCzWCUijsqSQOFcihUEcZwNr6IwHBXBoR56pEiGk1u9Y8cZ VcJbQkj9Ok/0fNF1wYDlJS7gl20pD3YwZ2GIBPHH8FI+COOQmSTqpkN655H1qL4nfakXwu27 giSFbm0HupM7IuGm7fjigrkCDQRc2aU2ARAAysa169s6wds+2mg9oJTz0kDusRXca3pRiMKV 9YfpztMX9KK8F799gRtvjz8ZHVQlhr6NYHJmtsH5Y0iGYOL/6kUE56laB/C3cSJ0FOZN5Ov2 fROUWmEJod7oyHJW0mcGKGfHiuGo0Xs7bAcspxF5s8iysFr50nLGEqJJ7G6/jzcMuFwqhQ5z B3/hctD09nI5YPzJJrJiPxtJ3OV4wEziIW7Ff9rOwSDvMLbSfX/iJA7QRM81IuTVWBBljlG9 YkbPcyczINtqYAXFaKGaUM+TE3YnUDFsHgvpEm2MFC4NCcKFDgsAy8IOEYRCDXtkS2eopQvd rafP5jJ9aLXP/zbXlslY7dQ+QxQjus1W+V0eR09NDp83uaJ/EdtnveETyQqjrF+z4svdlRYF Xd3kyV91OC2r3fXX2uKHDuAQVI2jbAS2apnCJbCQJMQfULyAYXKf8iCGk7nC1y0tGGpQ7HxQ GW0KC86GQP8hrXYNVvhkFGuxGjp814U7eFfZUZICq3Lqk8rxi830+9noFCHU4egkRynULhCN M1R/A/itwBZsrZ4+I6vYejKizDvzm3e9sb+5CMQeX4Y1uLkYKT163hshJCGsJEIobmvLlqUh qkY3UFI293h8xv/b0bEbeILUWJn2c6GNWR3flbb4wYW968DZg3uvKnFkomA6XECwsAKDegUA EQEAAYkCNgQYAQgAIBYhBMtH1Wjy658Jc3PaAvGJhHoErZ0PBQJc2aU2AhsMAAoJEPGJhHoE rZ0PYdEP/0K9Nc7khSfCqvuyLnoV6ONkaGHfbjgNcjGj7n46nx9FQJpp36fVBYItJdFXEfbt riY7OnqS5voTDlpmS922xfk9gfG1TKGQrsHCKSj63LyIPweYdCFGvy5F/Ijn0eNeVuxJU48D gE3nfAygrDdjfgDy3E+iFNEbb1YJLXCTavA4ciX5IZ7W7uzWLC4m2u/3N2/phuPtRcRdszB+ kwHPnmPNX1Jqw84jLD+Nn8ideM4G6H3fqFS55GktB0wfMOgsnVDSyrFKnXMF/077W8ZUU9k/ TveBbBtYLxcwJyrVnARh97xUi9PUABK/K8djp+z/kBQCU+Umwii4vFoubh/vTE/09BRaY8jg tvTetzzeMoqsnRiEgFHO+RCUFVFrzG8X48zji44+Vs/Ocq4Rz1auHPGpVT7ksB7/1C3wWOIg D+rOfkLt+zr1QG2V/BT1O0qrAaxOOm3pj76OyYks/tcdERkXWIQhCamn2Wc4h7tWuGnCJHny AGRF93EEPoMXoa5YxE7ai6WIUJBnR892vEVL+tOMDc0uaOAxk9xfMTM9FICqLVzfxo4GUDhJ tVV72OP0MkjyR1JTKZ6zAS7e5CviHutd8m/ILFDCKxgl46mERGW87eolJEO2aAjR8LycuwD2 PApJHMoXVaQKApGJYYaUeJrYDbqVYBNRMoVllUFOGRE6
Message-ID: <8af89787-6028-bb9a-abc8-bff66d166a08@evertpot.com>
Date: Thu, 14 May 2020 01:03:05 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <CAGBSGjqAJ9X7CU_csBJ-eHQQJKCLa4JuR-eqK=2qFURfdLT36g@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/RLHuAcHroUuuaSlKb1L9lnXHrZU>
Subject: Re: [OAUTH-WG] Usage of Password Grant
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2020 05:03:10 -0000

On 2020-05-10 10:20 a.m., Aaron Parecki wrote:

> Hi Beena,
>
> This sounds like a great use of the client credentials grant. The
> password grant is being removed from OAuth 2.0 by the Security Best
> Current Practice. Can you clarify what you've found useful about the
> password grant that the client credentials grant doesn't solve?

One nice benefit of the password grant, is that client_id is a nice,
general way to trace what application did the log in. Handy for audit
logs and if we ever find a security issue we could hypothetically
invalidate all passwords used by the client_id that introduced the issue.

The alternative is to introduce a custom parameter, but this is unlikely
to work easily with existing OAuth2 implementations.

So, I will miss "password".

Evert