Re: [OAUTH-WG] OAuth 2.1: dropping password grant
Hans Zandbelt <hans.zandbelt@zmartzone.eu> Tue, 18 February 2020 21:57 UTC
Return-Path: <hans.zandbelt@zmartzone.eu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20439120823 for <oauth@ietfa.amsl.com>; Tue, 18 Feb 2020 13:57:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.798
X-Spam-Level:
X-Spam-Status: No, score=-1.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=zmartzone-eu.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TfnL2JXZQq8u for <oauth@ietfa.amsl.com>; Tue, 18 Feb 2020 13:57:45 -0800 (PST)
Received: from mail-qk1-x732.google.com (mail-qk1-x732.google.com [IPv6:2607:f8b0:4864:20::732]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D28A8120819 for <oauth@ietf.org>; Tue, 18 Feb 2020 13:57:44 -0800 (PST)
Received: by mail-qk1-x732.google.com with SMTP id b7so21106493qkl.7 for <oauth@ietf.org>; Tue, 18 Feb 2020 13:57:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zmartzone-eu.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hPe1Pcm1fy/czOBX5glj3GEoSFuLenxiGALx5jzehsA=; b=bJPVgFGJRUXemrM0EQKpIF+/WgxnfCXd7zRd73JTSvUjU4+W8z/4Dosg81hfIN5r+E uqIYeLS3Xf7YYZ/SzG0JBWcdRlEvYB/X0Gf2RWBWoeawMaUQQJOvFTTGvs0y2qILlaWe +MDU6+g0hB8IWQSlsX3jZ4NeiwRGsMcYyzWcKzX6WfeYfzmwYYBU0g+SfNRhI+F/t5hR n/i/u5P8E5z2pKD2bCabA2WoAIB2RHja3vKy5DDZDNfIi5prCDb1HP60gn2bja2SP9nA cI2hrXA5B1LvMcXjHaHPFsM/xUeddq/W9frmVbHURUDdJ32yt2PYuRkWIfnndnVquzK6 JvuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hPe1Pcm1fy/czOBX5glj3GEoSFuLenxiGALx5jzehsA=; b=hvb3bVBPZ1KAMl85Ss9iwxExNP1+IKl8wpMXMAlxR/Iwk9X2FuKl17AMZNuEELhCbB GTD28lfurqWTrGfsveDs8YJ5nARIkIGD0XggWdJeZzanw8PkdYtp15De4axxnIW6GjWV e5u9vSzB9eVhnM2lhqDktLrnuOVxGrtbAZLzEaG7ypNaVeeZ32gLU1H9bzWmFiG2nG2f lgfvXKnfq+He1hY4l8cgxKGKv8MElst7GljjcumcqVR2jDZA4ZS/7kFEAcBB+CSTNizU mz7eH1qp/CYpBL1XVrQBwx0xVxyIIidWfanSaFDFZ42XPMW7DJB6aAzimtTqptsFWUCt VjeA==
X-Gm-Message-State: APjAAAWF4a9v/BZ5rwNImoyIeYJwvJ5OXKjCJwYJrDY0LGlR3OhG/mQZ l9URuw2c6Edu/sdckqKHxNVhVDCp1O04Ec9n+bAIsA==
X-Google-Smtp-Source: APXvYqzEYocaFn8lcl3XmeiJzXeheSbkv1NqrX5+xEorjyD8nYz4+dcgcOOav71aHB6+j0R84joUYjCA+9QQkLWnPOY=
X-Received: by 2002:a05:620a:569:: with SMTP id p9mr21045989qkp.104.1582063063878; Tue, 18 Feb 2020 13:57:43 -0800 (PST)
MIME-Version: 1.0
References: <CAD9ie-u_f1fCsTrRtXnk5YHrRHW71EyYiO6xqh9-a=vKTcXp+w@mail.gmail.com> <DM6PR00MB0634A176941D1078F3C655EEA6110@DM6PR00MB0634.namprd00.prod.outlook.com> <13A86ACE-3D9E-4FDF-9892-7A040DE5F4C6@mit.edu> <CAGBSGjq3-MeemRR1bdSPW5t8Tw29hxN+-C8-x9SNpPuM3MsMmQ@mail.gmail.com>
In-Reply-To: <CAGBSGjq3-MeemRR1bdSPW5t8Tw29hxN+-C8-x9SNpPuM3MsMmQ@mail.gmail.com>
From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Date: Tue, 18 Feb 2020 22:57:33 +0100
Message-ID: <CA+iA6ujnsKixcoXrpX+iKj_qLL9BC3Uqo=oAQttvrSdvR_vetw@mail.gmail.com>
To: Aaron Parecki <aaron@parecki.com>
Cc: Justin Richer <jricher@mit.edu>, Anthony Nadalin <tonynad=40microsoft.com@dmarc.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ef6149059ee0c287"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/WiGV8K4_wUE8v8BdKsi1H9F_aK8>
Subject: Re: [OAUTH-WG] OAuth 2.1: dropping password grant
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Feb 2020 21:57:47 -0000
I would also seriously look at the original motivation behind ROPC: I know it has been deployed and is used in quite a lot of places but I have never actually come across a use case where it is used for migration purposes and the migration is actually executed (I know that is statistically not a very strong argument but I challenge others to come up with one...) In reality it turned out just to be a one off that people used as an easy way out to stick to an anti-pattern and still claim to do OAuth 2.0. It is plain wrong, it is not OAuth and we need to get rid of it. Hans. On Tue, Feb 18, 2020 at 10:44 PM Aaron Parecki <aaron@parecki.com> wrote: > Agreed. Plus, the Security BCP is already effectively acting as a grace > period since it currently says the password grant MUST NOT be used, so in > the OAuth 2.0 world that's already a pretty strong signal. > > Aaron > > > > On Tue, Feb 18, 2020 at 4:16 PM Justin Richer <jricher@mit.edu> wrote: > >> There is no need for a grace period. People using OAuth 2.0 can still do >> OAuth 2.0. People using OAuth 2.1 will do OAuth 2.1. >> >> — Justin >> >> On Feb 18, 2020, at 3:54 PM, Anthony Nadalin < >> tonynad=40microsoft.com@dmarc.ietf.org> wrote: >> >> I would suggest a SHOULD NOT instead of MUST, there are still sites using >> this and a grace period should be provided before a MUST is pushed out as >> there are valid use cases out there still. >> >> *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of *Dick Hardt >> *Sent:* Tuesday, February 18, 2020 12:37 PM >> *To:* oauth@ietf.org >> *Subject:* [EXTERNAL] [OAUTH-WG] OAuth 2.1: dropping password grant >> >> Hey List >> >> (Once again using the OAuth 2.1 name as a placeholder for the doc that >> Aaron, Torsten, and I are working on) >> >> In the security topics doc >> >> >> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-14#section-2.4 >> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-security-topics-14%23section-2.4&data=02%7C01%7Ctonynad%40microsoft.com%7C47bb597eef584c95ba4108d7b4b274b2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637176550905333283&sdata=nA1S7TBfZg6cSwY2hI8hpRXhIA2joaaJFmNXrATgr2Y%3D&reserved=0> >> >> The password grant MUST not be used. >> >> Some background for those interested. I added this grant into OAuth 2.0 >> to allow applications that had been provided password to migrate. Even with >> the caveats in OAuth 2.0, implementors decide they want to prompt the user >> to enter their credentials, the anti-pattern OAuth was created to >> eliminate. >> >> >> Does anyone have concerns with dropping the password grant from the OAuth >> 2.1 document so that developers don't use it? >> >> /Dick >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > -- > ---- > Aaron Parecki > aaronparecki.com > @aaronpk <http://twitter.com/aaronpk> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- hans.zandbelt@zmartzone.eu ZmartZone IAM - www.zmartzone.eu
- [OAUTH-WG] OAuth 2.1: dropping password grant Dick Hardt
- Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping pas… Anthony Nadalin
- Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping pas… Dick Hardt
- Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping pas… Justin Richer
- Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping pas… Phillip Hunt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Aaron Parecki
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Hans Zandbelt
- Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping pas… Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Brock Allen
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Richard Backman, Annabelle
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Matthew De Haast
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Levi Schuck
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Richard Backman, Annabelle
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Justin Richer
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Richard Backman, Annabelle
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Phillip Hunt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Brian Campbell
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant William Denniss
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant William Denniss
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Aaron Parecki
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant lanerashaad80@gmail.com
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Nat Sakimura
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Dominick Baier
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Phillip Hunt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Justin Richer