Re: [OAUTH-WG] OAuth 2.1: dropping password grant

William Denniss <wdenniss@google.com> Mon, 24 February 2020 19:00 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACAEA3A1124 for <oauth@ietfa.amsl.com>; Mon, 24 Feb 2020 11:00:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9rLV9HqiZSI5 for <oauth@ietfa.amsl.com>; Mon, 24 Feb 2020 11:00:34 -0800 (PST)
Received: from mail-ot1-x32d.google.com (mail-ot1-x32d.google.com [IPv6:2607:f8b0:4864:20::32d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26E5E3A1126 for <oauth@ietf.org>; Mon, 24 Feb 2020 11:00:34 -0800 (PST)
Received: by mail-ot1-x32d.google.com with SMTP id 77so9721930oty.6 for <oauth@ietf.org>; Mon, 24 Feb 2020 11:00:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iwITUu1pwNIA+5azy03hfGElgAuUYPWGfWt3vTX1aJY=; b=G4P2UvpeKbuRtHWiSkPBd7cA1sIrqA8rFN0ry7GZzVQ60loN9uctpB8GE4mWigRvGh kjS3VsPIGguwmo7QhKpyDUQ2DX5nlPOD+Semm39cTTpQvHwu6EZfu92shH84voUGux19 E0kZ1c/YhmcluPjdlDtLr+5aQJkfUkkwshaw2LoTfFd4brnjNdI+TfwFq7Kq9ZspnNNj m+0oDCxX1up/DSx29WIGRyflpa7F9O7l8OQbpM15UZ/XnNHKaaFzYIqHxb2LlBHv+riX bJGvMkHG6D9cB/Efwe8YStDgwomHn8KVdrSMiPRQwCrqDjXwlH6Y/LF4lpvXc6ylOz3+ KuuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iwITUu1pwNIA+5azy03hfGElgAuUYPWGfWt3vTX1aJY=; b=SDa98UEKbb+3nBgsD2sQRv31mnEQzcAZ6TRlyCwUG8nUXiJgUyxrcCFSQ2kiNhFHZl 3RLounRzv0BmX9dUwqsM4xM1z+eDjyuZl+OujTew+yj29AblpaHbUYhY5Gs7W38/Shm0 r0Cv4g+/Dv0kbrZABCkJo2y8nr7Kp0/uPVmjqSTeYCUvB1XV4pLKW7DuxcNd+PoZqkkq 3I4CzKLwZ4F1F1bEF3LeE8G5lPQLeIkuUmXQwpr5fCg1XM5TNSJjWCS0og+/Qwogpnk9 iwspuNOP7Su3mGJNaObP0fP0v+sTVr5LmR6h8KyDvpCtfLMNseQUh+kmXDTwrMEoW4o3 LnFQ==
X-Gm-Message-State: APjAAAU0139w3x9uS1M96Ow8yfr1R/JNmzoWaSA3BruoAmvABKl3rGZI 5qSyAEzf0/boCtt7Nk3JRQfwg1Q39tY+E0ano6xMCg==
X-Google-Smtp-Source: APXvYqxaYi34l4z65VNATV38cwyezft9rGbOa8CJVqrBHaUEc5ZUZj3rSy6bc35dVMWd2dRIXsgG7mnXxRPHf22pgEc=
X-Received: by 2002:a9d:116:: with SMTP id 22mr17574738otu.149.1582570832996; Mon, 24 Feb 2020 11:00:32 -0800 (PST)
MIME-Version: 1.0
References: <3A39A586-7ABE-4CA2-BAE0-ED3FD197C4BB@forgerock.com> <7C28AD9B-428E-4FB3-B41A-E707D0C1A296@lodderstedt.net> <E37187C7-9DD0-4C3B-990D-55CB8C39BD21@forgerock.com> <CAD9ie-trV02ifD8HU1JQ-FDS0=eLnikM7SWfd1hSHkn5_3m03Q@mail.gmail.com> <649A1EF4-EB80-4FB0-82D4-4F6E3535F774@forgerock.com> <CANsTMfEAoOa6ts8xPc5eZi+D09EOC11-07uUq9R5gD425EbUJg@mail.gmail.com> <9D8B2697-7B09-4CB1-9000-524AACB36D67@forgerock.com> <0C4103FE-12A1-4CB2-8D07-3CEF7D3B4340@lodderstedt.net> <3E680750-FDA1-4513-A2FE-B3E900EBE806@forgerock.com> <55991949-9B1A-44E1-B412-1BB8EAEA4A43@lodderstedt.net> <AAE487F7-776C-472B-B6DF-CB60D434F95A@forgerock.com> <6AFD3B88-CEE5-4857-845D-A866DF5C3DFE@amazon.com> <09C67C29-74D0-4723-826B-17698F566669@forgerock.com> <39B732FC-3401-4003-BDE6-9A3678D96CAD@amazon.com> <CAD9ie-t4-V1OFrq-LPwCyd4ccxXNzDFG8Vs4j6-9HfikhcSG2w@mail.gmail.com> <CD71A751-C929-4698-9D1E-B107F6CD0D76@forgerock.com>
In-Reply-To: <CD71A751-C929-4698-9D1E-B107F6CD0D76@forgerock.com>
From: William Denniss <wdenniss@google.com>
Date: Mon, 24 Feb 2020 11:00:21 -0800
Message-ID: <CAAP42hCc5vB2bE+Nb_b0Z87ngaW-e-2kE0rLfgxD3WnJ0Y-RNw@mail.gmail.com>
To: Neil Madden <neil.madden@forgerock.com>
Cc: Dick Hardt <dick.hardt@gmail.com>, Matthew De Haast <matt=40coil.com@dmarc.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>, "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000558beb059f56fc30"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/cLOYj8dqgRHbRkq1FMxKrTNUNkk>
Subject: Re: [OAUTH-WG] OAuth 2.1: dropping password grant
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Feb 2020 19:00:38 -0000

On Mon, Feb 24, 2020 at 6:49 AM Neil Madden <neil.madden@forgerock.com>
wrote:

> Well, kinda. People can still theoretically use OAuth 1 too, but the world
> has moved on - software has dropped support for it, websites don’t support
> it, and so on



> I’m a bit confused about what OAuth 2.1 is intended to be. If it’s not a
> new version of OAuth (“obsoletes” the old RFC), then is not just another
> BCP? If it is a new version and it removes grant types (OAuth 3.0?)


then that effectively has the same impact as removing them from OAuth 2.0,
> unless we’re envisioning some way for a client to negotiate version 2.0
> support from an AS?
>

Many implementations don't support the "password" grant today (and in fact,
never supported it), so it's not like you can rely on its presence for
interop.

If the client needs to negotiate which grant types it can use, then RFC
8414 provides this today with the "grant_types_supported" key.

William



>
> — Neil
>
> > On 22 Feb 2020, at 01:41, Dick Hardt <dick.hardt@gmail.com> wrote:
> >
> > I'm a little confused on where this thread is going. If we take ROPC out
> of OAuth 2.1 then:
> >
> > 1) Existing deployments can keep using ROPC - why break it if it is
> working.
> >
> > 2) New deployments can use ROPC and be OAuth 2.0 compliant.
> >
> > 3) New deployments that don't need ROPC can be OAuth 2.1 compliant
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>