IETF Logo Mail Archive

Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping password grant

Anthony Nadalin <tonynad@microsoft.com> Tue, 18 February 2020 20:54 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04121120145 for <oauth@ietfa.amsl.com>; Tue, 18 Feb 2020 12:54:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AHuxGk6j-PRd for <oauth@ietfa.amsl.com>; Tue, 18 Feb 2020 12:54:16 -0800 (PST)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650093.outbound.protection.outlook.com [40.107.65.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE843120020 for <oauth@ietf.org>; Tue, 18 Feb 2020 12:54:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=W75U2XBCDdndNieF7j4knL61SOZ9F8Y5isk6uVVw3BDGBSprctJanPN9JaDYBIMTTvToA52D5es0h01QlJJCVoZAVQtRbBn8Zo/KuKUgqj5HjwyqEckzBuzfXWfKjWaw3Mv0/h5jYIdo1b1x6F7J25YWBzSV0InE7HUEgrtGiOEd2NmKOXBrRMWBC6bVDLBgQS8O7IPuilb5zigZOso13SClvICf12wqXTGJvO6RaKe2S2l3Kp6GIGzrX+nlDbhvsgBtYaJX8in63sWD1o1e65cZrpnL4l4ZWksj0FEQcERYz94r+iWsOPnRyOSQnrzWk21209z/J9EmTIbF4EWE3A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=k0qs6Lsn8yC+dUx2mGBRHwtxhhF3wLgfChrUvSyyqzs=; b=m708cE4O6omQe+Cy6VG03nonCZo7MuNDNaInyBGQB7RBUtYiA0fSK9X9UPDciu5y3cLLaFwmSEUs+bA8UPwlyb0RQj4n1fZsUW+5cNr6tJCtTXizw+XRv1sb55dYqGnJf2u5xAlVz3rbOruKxTrq+ZzApjYZwU+NCwXhZqYblbJHpj51RxgeyicH2DwX9rdGBWpv8nZtvCLNc3m9AugtPf5mIoQ8/Eai9CxzEzxFPL4RS5bXK03xokacgBR1DEcBAKZBeDnduVldduWynBJhS+q2pW/3VJ4Q2BPcp0bOpvxTXSn3H00n9S8RWSlDrfhHSXwF24SCzWZyzDrav4J9NA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=k0qs6Lsn8yC+dUx2mGBRHwtxhhF3wLgfChrUvSyyqzs=; b=gn9T1QqIzSnVLhyCbpXQ6Qsv5UxOZ5FHxF6UWQe/TJvt6o2XVOG4K5M81+X6PJ62i1CJgqQqe4fwkF3dem7G5Xo7zEJqFV5NrKh/xw82IdgPmm/FPviud74aG1/ZzTDd4OP3k3N3fUotmo4i+vB7gKrUzs8wHnkzSMze8XGuVfg=
Received: from DM6PR00MB0634.namprd00.prod.outlook.com (20.179.49.147) by DM6PR00MB0553.namprd00.prod.outlook.com (20.179.49.76) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2773.0; Tue, 18 Feb 2020 20:54:14 +0000
Received: from DM6PR00MB0634.namprd00.prod.outlook.com ([fe80::4434:9fb6:686:c6c7]) by DM6PR00MB0634.namprd00.prod.outlook.com ([fe80::4434:9fb6:686:c6c7%7]) with mapi id 15.20.2778.000; Tue, 18 Feb 2020 20:54:14 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Dick Hardt <dick.hardt@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [EXTERNAL] [OAUTH-WG] OAuth 2.1: dropping password grant
Thread-Index: AQHV5ptWJHq6vVwudUipZRYjhEN6XKghbKQA
Date: Tue, 18 Feb 2020 20:54:14 +0000
Message-ID: <DM6PR00MB0634A176941D1078F3C655EEA6110@DM6PR00MB0634.namprd00.prod.outlook.com>
References: <CAD9ie-u_f1fCsTrRtXnk5YHrRHW71EyYiO6xqh9-a=vKTcXp+w@mail.gmail.com>
In-Reply-To: <CAD9ie-u_f1fCsTrRtXnk5YHrRHW71EyYiO6xqh9-a=vKTcXp+w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=51b0d70b-20ed-44d7-a4b2-0000f98f3d06; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-02-18T20:49:35Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=tonynad@microsoft.com;
x-originating-ip: [167.220.2.106]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: abcdf466-621b-4f39-6eef-08d7b4b4b68d
x-ms-traffictypediagnostic: DM6PR00MB0553:
x-microsoft-antispam-prvs: <DM6PR00MB0553E99137693D07E2BBF9AAA6110@DM6PR00MB0553.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 031763BCAF
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(346002)(39860400002)(136003)(396003)(366004)(376002)(199004)(189003)(81156014)(71200400001)(76116006)(966005)(33656002)(478600001)(10290500003)(8676002)(52536014)(64756008)(26005)(86362001)(5660300002)(66946007)(9686003)(66556008)(66476007)(7696005)(8936002)(66446008)(55016002)(53546011)(316002)(8990500004)(186003)(2906002)(110136005)(6506007)(81166006); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR00MB0553; H:DM6PR00MB0634.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: tYjItNafU68vW8pSKbqNF05R676w+0BLOrUgQat4O7u6s0EnAnPOWPe6DBWEdDXA0slkeLSGMPNA6ceM38h6WIsl8ryMstSWhUlP++fkqdwjknvFYu8gCEEdEqmxMis6DsL+TPaSY97xi7nWAEX+XRKfoKLWDDd6xNn+S1pt72dzQC3VW4o0SNQCIVXcwssFV46M2kQWE7J0QG5V9DyWhF6YRP6YHLryabuedMpte22Gs7bKC5Guey0+JI9RVAP0ZAlGGA2uIM5QGlVb1QIWnzz+b3mw3pGapUyz1rfSHgIj5Vb/B149kymrHGNvrSyGnweiH76ergUgyEA+D7nlrzOXZ8edVwi99qtfH0oVdTKbHVC91/2HhLusj48UJXxYll5zRLyXn6wdwaWs0+sCxPuNTAI7pnsL4hjbaAoY8OyT3FiIXiHbXWzWWH86d76j5u7JRqc8s84v1xlbmimkCrKI5ir3bSZwWjreb/CxaUqGaaiLrQmCjTH7IaVEf2ei1O3VZ8RlszRAOMpFrVbTog==
x-ms-exchange-antispam-messagedata: 2ZfNepJZvWM1atG9X1Yk17jkw8BOu1kG7Y4k4iyLRlmnqRGWvBClaK588pJM3q9iNCLj+/zMMHKMK9tFh6xhu0pPdFX95SVpTOfTPX8hDyo81wEJJNbdKV/1D/GELjTiQf6SvifMXAyz+lNrPd19WQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR00MB0634A176941D1078F3C655EEA6110DM6PR00MB0634namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: abcdf466-621b-4f39-6eef-08d7b4b4b68d
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Feb 2020 20:54:14.5070 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: cGr8R9G5xOEid27HU9XT/fWOi1jCgz+5dUvrHKS6iHSBSm0GrDCvxLXNl4POUUsg24evHIbOlQoVSUA2WQFdng==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR00MB0553
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/XNXWz7impONO9wTBoyS87ADW5RY>
Subject: Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping password grant
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Feb 2020 20:54:19 -0000

I would suggest a SHOULD NOT instead of MUST, there are still sites using this and a grace period should be provided before a MUST is pushed out as there are valid use cases out there still.

From: OAuth <oauth-bounces@ietf.org> On Behalf Of Dick Hardt
Sent: Tuesday, February 18, 2020 12:37 PM
To: oauth@ietf.org
Subject: [EXTERNAL] [OAUTH-WG] OAuth 2.1: dropping password grant

Hey List

(Once again using the OAuth 2.1 name as a placeholder for the doc that Aaron, Torsten, and I are working on)

In the security topics doc

https://tools.ietf.org/html/draft-ietf-oauth-security-topics-14#section-2.4<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-security-topics-14%23section-2.4&data=02%7C01%7Ctonynad%40microsoft.com%7C47bb597eef584c95ba4108d7b4b274b2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637176550905333283&sdata=nA1S7TBfZg6cSwY2hI8hpRXhIA2joaaJFmNXrATgr2Y%3D&reserved=0>

The password grant MUST not be used.

Some background for those interested. I added this grant into OAuth 2.0 to allow applications that had been provided password to migrate. Even with the caveats in OAuth 2.0, implementors decide they want to prompt the user to enter their credentials, the anti-pattern OAuth was created to eliminate.


Does anyone have concerns with dropping the password grant from the OAuth 2.1 document so that developers don't use it?

/Dick

v2.23.0 | Report a Bug | By Email