IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth 2.1: dropping password grant

William Denniss <wdenniss@google.com> Mon, 24 February 2020 18:50 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 364F13A0ABF for <oauth@ietfa.amsl.com>; Mon, 24 Feb 2020 10:50:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zeDrmRMSqIAN for <oauth@ietfa.amsl.com>; Mon, 24 Feb 2020 10:50:54 -0800 (PST)
Received: from mail-oi1-x235.google.com (mail-oi1-x235.google.com [IPv6:2607:f8b0:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 824213A10F6 for <oauth@ietf.org>; Mon, 24 Feb 2020 10:50:54 -0800 (PST)
Received: by mail-oi1-x235.google.com with SMTP id c16so9970174oic.3 for <oauth@ietf.org>; Mon, 24 Feb 2020 10:50:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8y31/VpBt7+cTZkCeNhHUfzZ80M8vXTaOniY+WloKaY=; b=bc6/nNuY87UpBo5EYO2dTTjyxg1+Zx2YlUyg3DjxZSTGRsA1KK1yOJNVyF6xUN1UA9 FcDlKdMPoBa7w5+A1rZ2idzPtIGPTiL3VQbzrORWmUxk6xk62lixJ26yMkXIAHJTX5Fm tPYMIe859icJJirUHXEfRd+pnR+b8DG0UcTV474s+B/DNGecNayX69XyrPL0mcJqpYJM CB5AeCPvSQX2ah4ZsoknzwlWJf0PI1C6+l2MoTn4uDT/maBreHYPj8DmDh0FXgaJe9J0 72jKwnGPuCc7ZpiCxXk1OyYRFNet0N/cPl4ql3bUX4yeVBiDhu8xI/NSk1lx1ByQ9ezX k/yg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8y31/VpBt7+cTZkCeNhHUfzZ80M8vXTaOniY+WloKaY=; b=e2K8ajE8ygh/U09FlkyFeYy39INbSXBjY3561MA8s9mNo7W/p4f9SfO3R9+W/OdOie 4tin3DAMfqO63JlSfo1wcwcdMa2OId6Y+d54S3SlU632GA8Yj31PSyYsoH2gh2QtIt6u OmWi/H4tO/O6Ripm4lB9sQHo4DFKP2fu1ORjlrzf0WzANevb4naRi/oYFLT0/mi8aec7 7HPXWhBnx7e9QaYgNJPkAW0b1WduuvIWiezVdzRiuTHnmzLw9Z5Yim1at3kbP1eufOx4 +J8IUM0QWPJYThc0jjNSOPU8b9TZcR/6M0Xdcytxb37+kbwlNGtxbjJkpLvqVJcOI6ci 1rSQ==
X-Gm-Message-State: APjAAAV15fJHQFFl0rJApeIkGFyilRd2kxbph3A+Rg5IS6KHz8o7ZqqH cHSSs5nVfI6cDdFA6do7j8LCUv0v3uEKQMEGZpsThA==
X-Google-Smtp-Source: APXvYqzoYs3s2UmKXYrCyu1ZgBqgybX5Xk76iiWIt+Aymz20z3kCEd+IRoeWsDTfH/s5rMYxO+FV3blb1wWOyyMnnRQ=
X-Received: by 2002:aca:45c1:: with SMTP id s184mr390911oia.158.1582570253259; Mon, 24 Feb 2020 10:50:53 -0800 (PST)
MIME-Version: 1.0
References: <3A39A586-7ABE-4CA2-BAE0-ED3FD197C4BB@forgerock.com> <7C28AD9B-428E-4FB3-B41A-E707D0C1A296@lodderstedt.net> <E37187C7-9DD0-4C3B-990D-55CB8C39BD21@forgerock.com> <CAD9ie-trV02ifD8HU1JQ-FDS0=eLnikM7SWfd1hSHkn5_3m03Q@mail.gmail.com> <649A1EF4-EB80-4FB0-82D4-4F6E3535F774@forgerock.com> <CANsTMfEAoOa6ts8xPc5eZi+D09EOC11-07uUq9R5gD425EbUJg@mail.gmail.com> <9D8B2697-7B09-4CB1-9000-524AACB36D67@forgerock.com> <0C4103FE-12A1-4CB2-8D07-3CEF7D3B4340@lodderstedt.net> <3E680750-FDA1-4513-A2FE-B3E900EBE806@forgerock.com> <55991949-9B1A-44E1-B412-1BB8EAEA4A43@lodderstedt.net> <AAE487F7-776C-472B-B6DF-CB60D434F95A@forgerock.com> <6AFD3B88-CEE5-4857-845D-A866DF5C3DFE@amazon.com> <09C67C29-74D0-4723-826B-17698F566669@forgerock.com> <39B732FC-3401-4003-BDE6-9A3678D96CAD@amazon.com> <CAD9ie-t4-V1OFrq-LPwCyd4ccxXNzDFG8Vs4j6-9HfikhcSG2w@mail.gmail.com> <CD71A751-C929-4698-9D1E-B107F6CD0D76@forgerock.com>
In-Reply-To: <CD71A751-C929-4698-9D1E-B107F6CD0D76@forgerock.com>
From: William Denniss <wdenniss@google.com>
Date: Mon, 24 Feb 2020 10:50:38 -0800
Message-ID: <CAAP42hADXrpd89zaP5NnoA5gCNmhGPWc_bD9esdLWWP=OR0CyQ@mail.gmail.com>
To: Neil Madden <neil.madden@forgerock.com>
Cc: Dick Hardt <dick.hardt@gmail.com>, Matthew De Haast <matt=40coil.com@dmarc.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>, "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c7905f059f56d989"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ZTrDX9NiQGnM1_U_oAll0mxS5jg>
Subject: Re: [OAUTH-WG] OAuth 2.1: dropping password grant
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Feb 2020 18:50:56 -0000

+1 to drop ROPC from the Security BCP, as it is not the best current
practice.

Speaking generally, the argument that people are currently using it and
will need to change, therefore we shouldn't deprecate anything is actually
antithetical to the goals of a BCP. As has been pointed out, they can
ignore the BCP should they wish and keep doing what they are doing. Really
the question should be: is this the right way to do this? I believe the
answer to that is "no", particularly when reading the original text in RFC
6749 Section 1.3.3 that we're essentially striking out here. If people are
doing different things with this grant type, then that's probably worthy of
it's own grant type.

As you wrote earlier Niel "There are better grant types for this - e.g. JWT
bearer - but they are a bit harder to implement.". Perhaps we can document
the better practice for this use-case to help point people using ROPC for
this in the right direction. Regarding the "harder to implement" concern, I
also don't think that's a reason for not deprecating. When I wrote RFC 8252
everyone was doing native app authorization in web views, and would need to
change what they were doing to adopt the BCP which was actually a lot of
work (but, for the reasons documented, it was really important to change).
This was actually why I wrote that BCP... to justify and help drive that
necessary change.

On Mon, Feb 24, 2020 at 6:49 AM Neil Madden <neil.madden@forgerock.com>
wrote:

> Well, kinda. People can still theoretically use OAuth 1 too, but the world
> has moved on - software has dropped support for it, websites don’t support
> it, and so on.
>
> I’m a bit confused about what OAuth 2.1 is intended to be. If it’s not a
> new version of OAuth (“obsoletes” the old RFC), then is not just another
> BCP? If it is a new version and it removes grant types (OAuth 3.0?) then
> that effectively has the same impact as removing them from OAuth 2.0,
> unless we’re envisioning some way for a client to negotiate version 2.0
> support from an AS?
>
> — Neil
>
> > On 22 Feb 2020, at 01:41, Dick Hardt <dick.hardt@gmail.com> wrote:
> >
> > I'm a little confused on where this thread is going. If we take ROPC out
> of OAuth 2.1 then:
> >
> > 1) Existing deployments can keep using ROPC - why break it if it is
> working.
> >
> > 2) New deployments can use ROPC and be OAuth 2.0 compliant.
> >
> > 3) New deployments that don't need ROPC can be OAuth 2.1 compliant
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email