Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping password grant
Justin Richer <jricher@mit.edu> Tue, 18 February 2020 21:15 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4670A120145 for <oauth@ietfa.amsl.com>; Tue, 18 Feb 2020 13:15:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.098
X-Spam-Level:
X-Spam-Status: No, score=-4.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fz2FHhozYx8k for <oauth@ietfa.amsl.com>; Tue, 18 Feb 2020 13:15:48 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82FF51200C7 for <oauth@ietf.org>; Tue, 18 Feb 2020 13:15:48 -0800 (PST)
Received: from [192.168.1.5] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 01ILFanc018514 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 18 Feb 2020 16:15:38 -0500
From: Justin Richer <jricher@mit.edu>
Message-Id: <13A86ACE-3D9E-4FDF-9892-7A040DE5F4C6@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_15576141-2948-46E7-8BE3-DD16BFEBA0B6"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Tue, 18 Feb 2020 16:15:36 -0500
In-Reply-To: <DM6PR00MB0634A176941D1078F3C655EEA6110@DM6PR00MB0634.namprd00.prod.outlook.com>
Cc: Dick Hardt <dick.hardt@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
To: Anthony Nadalin <tonynad=40microsoft.com@dmarc.ietf.org>
References: <CAD9ie-u_f1fCsTrRtXnk5YHrRHW71EyYiO6xqh9-a=vKTcXp+w@mail.gmail.com> <DM6PR00MB0634A176941D1078F3C655EEA6110@DM6PR00MB0634.namprd00.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/_S6G31ra2LoO8GmhVUGDL4RZnuQ>
Subject: Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping password grant
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Feb 2020 21:15:50 -0000
There is no need for a grace period. People using OAuth 2.0 can still do OAuth 2.0. People using OAuth 2.1 will do OAuth 2.1. — Justin > On Feb 18, 2020, at 3:54 PM, Anthony Nadalin <tonynad=40microsoft.com@dmarc.ietf.org> wrote: > > I would suggest a SHOULD NOT instead of MUST, there are still sites using this and a grace period should be provided before a MUST is pushed out as there are valid use cases out there still. > > From: OAuth <oauth-bounces@ietf.org> On Behalf Of Dick Hardt > Sent: Tuesday, February 18, 2020 12:37 PM > To: oauth@ietf.org > Subject: [EXTERNAL] [OAUTH-WG] OAuth 2.1: dropping password grant > > Hey List > > (Once again using the OAuth 2.1 name as a placeholder for the doc that Aaron, Torsten, and I are working on) > > In the security topics doc > > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-14#section-2.4 <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-security-topics-14%23section-2.4&data=02%7C01%7Ctonynad%40microsoft.com%7C47bb597eef584c95ba4108d7b4b274b2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637176550905333283&sdata=nA1S7TBfZg6cSwY2hI8hpRXhIA2joaaJFmNXrATgr2Y%3D&reserved=0> > > The password grant MUST not be used. > > Some background for those interested. I added this grant into OAuth 2.0 to allow applications that had been provided password to migrate. Even with the caveats in OAuth 2.0, implementors decide they want to prompt the user to enter their credentials, the anti-pattern OAuth was created to eliminate. > > > Does anyone have concerns with dropping the password grant from the OAuth 2.1 document so that developers don't use it? > > /Dick > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] OAuth 2.1: dropping password grant Dick Hardt
- Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping pas… Anthony Nadalin
- Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping pas… Dick Hardt
- Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping pas… Justin Richer
- Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping pas… Phillip Hunt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Aaron Parecki
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Hans Zandbelt
- Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping pas… Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Brock Allen
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Richard Backman, Annabelle
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Matthew De Haast
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Levi Schuck
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Richard Backman, Annabelle
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Justin Richer
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Richard Backman, Annabelle
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Phillip Hunt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Brian Campbell
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant William Denniss
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant William Denniss
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Aaron Parecki
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant lanerashaad80@gmail.com
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Nat Sakimura
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Dominick Baier
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Phillip Hunt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Justin Richer