[OAUTH-WG] Hashing passwords for "password" grant type
Aaron Parecki <aaron@parecki.com> Tue, 07 September 2010 03:09 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7E7F13A672F for <oauth@core3.amsl.com>; Mon, 6 Sep 2010 20:09:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.487
X-Spam-Level:
X-Spam-Status: No, score=-0.487 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LnKZE7GmI+x0 for <oauth@core3.amsl.com>; Mon, 6 Sep 2010 20:09:31 -0700 (PDT)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by core3.amsl.com (Postfix) with ESMTP id 218043A659B for <oauth@ietf.org>; Mon, 6 Sep 2010 20:09:30 -0700 (PDT)
Received: by wwj40 with SMTP id 40so5860775wwj.13 for <oauth@ietf.org>; Mon, 06 Sep 2010 20:09:59 -0700 (PDT)
Received: by 10.227.133.14 with SMTP id d14mr205817wbt.44.1283828998770; Mon, 06 Sep 2010 20:09:58 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by mx.google.com with ESMTPS id i14sm5252230wbe.18.2010.09.06.20.09.57 (version=SSLv3 cipher=RC4-MD5); Mon, 06 Sep 2010 20:09:57 -0700 (PDT)
Received: by wyi11 with SMTP id 11so5937605wyi.31 for <oauth@ietf.org>; Mon, 06 Sep 2010 20:09:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.71.132 with SMTP id r4mr3951058wed.102.1283828996801; Mon, 06 Sep 2010 20:09:56 -0700 (PDT)
Received: by 10.216.161.9 with HTTP; Mon, 6 Sep 2010 20:09:56 -0700 (PDT)
Date: Mon, 06 Sep 2010 20:09:56 -0700
Message-ID: <AANLkTi=eODzwVYyPjQXwBP-S+po7-hpP8v-YgQpjVR8S@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00504502c77d4e83ad048fa2bb65"
Subject: [OAUTH-WG] Hashing passwords for "password" grant type
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Sep 2010 03:09:32 -0000
Hi folks, I'm implementing OAuth 2 for my project (geoloqi.com) where I have some mobile phone clients needing to authenticate. I'm using the "password" grant type for these clients. Even though the call to the token endpoint is going over HTTPS, I'm still slightly concerned about sending the user's password to the server unencrypted. (I don't want the users' passwords to appear in my debug log file for instance.) Does the spec allow for or have a way to extend so that I can define a hashing algorithm the client can use to encrypt the password before sending it? I'm already not storing the passwords in plain text in the database anyway. Anybody else dealing with a similar issue? Aaron
- [OAUTH-WG] Hashing passwords for "password" grant… Aaron Parecki
- Re: [OAUTH-WG] Hashing passwords for "password" g… Luke Shepard
- Re: [OAUTH-WG] Hashing passwords for "password" g… Kris Selden
- Re: [OAUTH-WG] Hashing passwords for "password" g… Igor Faynberg
- Re: [OAUTH-WG] Hashing passwords for "password" g… Yutaka OIWA
- Re: [OAUTH-WG] Hashing passwords for "password" g… Brian Eaton
- Re: [OAUTH-WG] Hashing passwords for "password" g… Aaron Parecki
- Re: [OAUTH-WG] Hashing passwords for "password" g… Kris Selden