Re: [OAUTH-WG] Direct Grant missing in draft-parecki-oauth-v2-1
Aaron Parecki <aaron@parecki.com> Wed, 08 April 2020 22:03 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A61F3A1869 for <oauth@ietfa.amsl.com>; Wed, 8 Apr 2020 15:03:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8ym3ugFYHeXI for <oauth@ietfa.amsl.com>; Wed, 8 Apr 2020 15:03:28 -0700 (PDT)
Received: from mail-il1-x134.google.com (mail-il1-x134.google.com [IPv6:2607:f8b0:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FC7E3A186A for <oauth@ietf.org>; Wed, 8 Apr 2020 15:03:27 -0700 (PDT)
Received: by mail-il1-x134.google.com with SMTP id i75so8272325ild.13 for <oauth@ietf.org>; Wed, 08 Apr 2020 15:03:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QeWDMAOolvQyeLnElLeTuJz+XzhggI7ANeyhfeJYu2Q=; b=M1nF7MTnl/r/1Hdy6H+VtTWhQFOOrOGv6bgJAAB3hR+dE1Q5h7veMDOO+2bH+M5Si+ ewm8r01WZZIGil/jLZB1zTsSmcs5ridj6G9rcubC7uMui55/YB90JfQE3H/aOCKYU8Ii UuRI8yfU82283nEcURclxUezFVF3LEzLYowR72M4tykaebG09VM3txtBMK33kgqAHoiB IF6EKM/HGW+5RKyy95fxgGep9hmiVVQAUz9n8QgXT+TtmNflL8vvegaPnVGDk3LgsF33 1x12NNF+g24Bs6wwPdrb8/vJvYIpxM9qpUOJkQ5kAqFnPXR/ovcCZlEQpvW8oy1Ej8SF AzkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QeWDMAOolvQyeLnElLeTuJz+XzhggI7ANeyhfeJYu2Q=; b=TKTMZVXlxkVBr+ehX9fIs/RmexAPDZcGM1eKmIr2dUI32MVDi7XB4NLDerD+MyHrt5 BvWRumnNaZN7RrEOuFvAdt9jKKiglgrmR8j5Nme2BUCAEpOJGpCZ6pKg1SwI82h/STmW yko/iezABwOUCqeie34OuNGw7+tt4cFE/wjNu93JWa2IdUVIkIWVA2ElOWJB24tuEmEp 2kGJsUALV5jeIUJWfY+JtIRNe23Ojvu1fU9ipXeOtrDHy1HPvimzoyS/4UmDXzNA36R7 WpTHyIsD8gtZcXZ2XhQhlAVlNEJlzDOlyU+TpX70n9C8Bd3Dmq1DQvMxYjb1bccfndST oPtQ==
X-Gm-Message-State: AGi0Pua00OO2meJhtwnjfIAOrWXWWmQhVrHxGOR8VSIosdwofLUEbXIS idE+pbSVWnxuo5QTSpnv+SP0ir6kR4k=
X-Google-Smtp-Source: APiQypLMmP6SSfrg5KRZrKo9yZ3c9acrYAygidHW9eb1S+f43IvkXCsek5XWhIjWgExEqEKK6kOVjQ==
X-Received: by 2002:a92:8499:: with SMTP id y25mr2139839ilk.268.1586383406765; Wed, 08 Apr 2020 15:03:26 -0700 (PDT)
Received: from mail-il1-f171.google.com (mail-il1-f171.google.com. [209.85.166.171]) by smtp.gmail.com with ESMTPSA id h12sm8516253ilq.66.2020.04.08.15.03.25 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 08 Apr 2020 15:03:25 -0700 (PDT)
Received: by mail-il1-f171.google.com with SMTP id n13so8358536ilm.5; Wed, 08 Apr 2020 15:03:25 -0700 (PDT)
X-Received: by 2002:a92:d083:: with SMTP id h3mr10233560ilh.28.1586383405446; Wed, 08 Apr 2020 15:03:25 -0700 (PDT)
MIME-Version: 1.0
References: <CAOW4vyPN7iCt9FdGDhzFWsPB=PVcRaLqgTHtAFA07D-E6SuzzQ@mail.gmail.com>
In-Reply-To: <CAOW4vyPN7iCt9FdGDhzFWsPB=PVcRaLqgTHtAFA07D-E6SuzzQ@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Wed, 08 Apr 2020 15:03:12 -0700
X-Gmail-Original-Message-ID: <CAGBSGjo0F61grJmk1qotA8fQs1=H1KaqVYKWbEYTeveCJwK4kw@mail.gmail.com>
Message-ID: <CAGBSGjo0F61grJmk1qotA8fQs1=H1KaqVYKWbEYTeveCJwK4kw@mail.gmail.com>
To: Francis Pouatcha <fpo@adorsys.de>
Cc: OAuth WG <oauth@ietf.org>, draft-parecki-oauth-v2-1@ietf.org
Content-Type: multipart/alternative; boundary="0000000000005bffba05a2ceabb2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/WJeZsXPAj2tjRDYt7LeDhQdx0zo>
Subject: Re: [OAUTH-WG] Direct Grant missing in draft-parecki-oauth-v2-1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Apr 2020 22:03:30 -0000
Hi Francis, The Resource Owner Password Credentials grant is being deprecated in the OAuth 2.0 Security BCP: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.4 > The resource owner password credentials grant MUST NOT be used. As this OAuth 2.1 draft is meant to consolidate the best practices across the existing OAuth 2.0 documents, and is explicitly not intended to define any new behavior that is not already in an adopted document, we can't accept your suggestion of adding a new OTP-based grant in this document. ---- Aaron Parecki aaronparecki.com @aaronpk <http://twitter.com/aaronpk> On Wed, Apr 8, 2020 at 2:59 PM Francis Pouatcha <fpo@adorsys.de> wrote: > As a replacement of RFC 6749 I am missing a "Direct Grant" with the same > simplicity as the "Resource Owner Password Credentials" grant of RFC 6749. > > The reason is that browser redirects are too complex and most of the time > badly implemented by small teams. For the sake of having SMEs use oAuth 2.1 > with their limited development capacities, I suggest keeping the simple "Resource > Owner Password Credentials" with an OTP replacing the permanent password. > > We also have sample implementations working on the market with OTP based "Resource > Owner Password Credentials" with full compatibility to RFC 6749. > > -- > Francis Pouatcha > Co-Founder and Technical Lead at adorys > https://adorsys-platform.de/solutions/ >
- [OAUTH-WG] Direct Grant missing in draft-parecki-… Francis Pouatcha
- Re: [OAUTH-WG] Direct Grant missing in draft-pare… Aaron Parecki
- Re: [OAUTH-WG] Direct Grant missing in draft-pare… Francis Pouatcha
- Re: [OAUTH-WG] Direct Grant missing in draft-pare… Dick Hardt
- Re: [OAUTH-WG] Direct Grant missing in draft-pare… Daniel Fett
- Re: [OAUTH-WG] Direct Grant missing in draft-pare… Rob Otto
- Re: [OAUTH-WG] Direct Grant missing in draft-pare… Daniel Fett
- Re: [OAUTH-WG] Direct Grant missing in draft-pare… Justin Richer
- Re: [OAUTH-WG] Direct Grant missing in draft-pare… Francis Pouatcha