IETF Logo Mail Archive

[OAUTH-WG] Hashing passwords for "password" grant type

Aaron Parecki <aaron@parecki.com> Tue, 07 September 2010 03:09 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7E7F13A672F for <oauth@core3.amsl.com>; Mon, 6 Sep 2010 20:09:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.487
X-Spam-Level:
X-Spam-Status: No, score=-0.487 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LnKZE7GmI+x0 for <oauth@core3.amsl.com>; Mon, 6 Sep 2010 20:09:31 -0700 (PDT)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by core3.amsl.com (Postfix) with ESMTP id 218043A659B for <oauth@ietf.org>; Mon, 6 Sep 2010 20:09:30 -0700 (PDT)
Received: by wwj40 with SMTP id 40so5860775wwj.13 for <oauth@ietf.org>; Mon, 06 Sep 2010 20:09:59 -0700 (PDT)
Received: by 10.227.133.14 with SMTP id d14mr205817wbt.44.1283828998770; Mon, 06 Sep 2010 20:09:58 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by mx.google.com with ESMTPS id i14sm5252230wbe.18.2010.09.06.20.09.57 (version=SSLv3 cipher=RC4-MD5); Mon, 06 Sep 2010 20:09:57 -0700 (PDT)
Received: by wyi11 with SMTP id 11so5937605wyi.31 for <oauth@ietf.org>; Mon, 06 Sep 2010 20:09:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.71.132 with SMTP id r4mr3951058wed.102.1283828996801; Mon, 06 Sep 2010 20:09:56 -0700 (PDT)
Received: by 10.216.161.9 with HTTP; Mon, 6 Sep 2010 20:09:56 -0700 (PDT)
Date: Mon, 06 Sep 2010 20:09:56 -0700
Message-ID: <AANLkTi=eODzwVYyPjQXwBP-S+po7-hpP8v-YgQpjVR8S@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00504502c77d4e83ad048fa2bb65"
Subject: [OAUTH-WG] Hashing passwords for "password" grant type
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Sep 2010 03:09:32 -0000

Hi folks,

I'm implementing OAuth 2 for my project (geoloqi.com) where I have some
mobile phone clients needing to authenticate. I'm using the "password" grant
type for these clients. Even though the call to the token endpoint is going
over HTTPS, I'm still slightly concerned about sending the user's password
to the server unencrypted. (I don't want the users' passwords to appear in
my debug log file for instance.) Does the spec allow for or have a way to
extend so that I can define a hashing algorithm the client can use to
encrypt the password before sending it? I'm already not storing the
passwords in plain text in the database anyway. Anybody else dealing with a
similar issue?

Aaron

v2.23.0 | Report a Bug | By Email