[OAUTH-WG] OAuth 2.1: dropping password grant
Dick Hardt <dick.hardt@gmail.com> Tue, 18 February 2020 20:37 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D9DB120816 for <oauth@ietfa.amsl.com>; Tue, 18 Feb 2020 12:37:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yRacTyJ6SB6q for <oauth@ietfa.amsl.com>; Tue, 18 Feb 2020 12:37:54 -0800 (PST)
Received: from mail-lj1-x242.google.com (mail-lj1-x242.google.com [IPv6:2a00:1450:4864:20::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 302A6120813 for <oauth@ietf.org>; Tue, 18 Feb 2020 12:37:54 -0800 (PST)
Received: by mail-lj1-x242.google.com with SMTP id q23so8464916ljm.4 for <oauth@ietf.org>; Tue, 18 Feb 2020 12:37:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=Epbx8M7UJ6qH8wVEpyuQMFNBQCLazr4VW1npPesgGKc=; b=BK9QMogLqV7sJPvJoAKJfmQOFrsirSGRTedHQJX/fZ2QIKFs143X43Kpi5V9VD7kcW ZJeTeiUovMKlhjMl9X40DLTICuLCJ566BBP8sjOGDC6n185oiOCx+XT2DJVuakYQr45U z6vhLU1a/Mku+tGD9VqF7Frc66OerGy2eGFJmwn510CzqWlyPfFwAdqtOHjsjy4izcDP LEaVeAoiPXB2OyCfd7S31sVC8qoyeZeiT+h9+xKdQQ9c0qEh0V5JOzxKy95BDyaceMTz b7PeP50+ad5MvMrkCiO3nmNOmP6nhMknbovS1ds+QkHe9iF/FrIOTC855InT726947d8 6wBQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Epbx8M7UJ6qH8wVEpyuQMFNBQCLazr4VW1npPesgGKc=; b=b2rQgB8TFGUtd/QZofqZiE0gEzSAWLb0mvg0W3eJTtoOCqanNkAb+EvIbLIHN401BO +DMQUeWYjF+MQMwuKfqLqb4xIKyiFbUurdjCCIE+SOs8EGgUNgfT2SpGEQ//iTEBoZDo jjAIJSI2qhgCaTqb0F62X7BdBfDV36/jLgGhfNQrDt+q4XJQD+KofkUyjsdq6T8hAdO7 XqqJDxMdNzaeFp1lC2a7ORTqmtna9TIXO4oNbGgrJvK6C26TavI9dE7y3YWTtds4gFJp ZnN7LmSFpSEhlciiBEqifQLx91pLMNJ0Aljnmv98P5NufTgGXEHOXoFbN0AJIDL5Q/y7 E/cA==
X-Gm-Message-State: APjAAAU7w2BbCAEUyRJaiDBxH6wNCXd1QhIfJg/v/exKXw6X1trrJWaz qQJpeR0nvoY1mDiVnAvDpLJExLKXeSUnyQe90GRIQqIADsc=
X-Google-Smtp-Source: APXvYqyPYQ0iVILU5BPtK7giLt1MJFLc3pFr2OvLSYVAAQ318qzm7PR0zxJZaWkh1HT5WZSkLuMvdwwax/zopRS5E6Y=
X-Received: by 2002:a2e:b5b4:: with SMTP id f20mr14301588ljn.112.1582058272007; Tue, 18 Feb 2020 12:37:52 -0800 (PST)
MIME-Version: 1.0
From: Dick Hardt <dick.hardt@gmail.com>
Date: Tue, 18 Feb 2020 12:37:26 -0800
Message-ID: <CAD9ie-u_f1fCsTrRtXnk5YHrRHW71EyYiO6xqh9-a=vKTcXp+w@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000512bcd059edfa5d4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/mG6tkmXSOxwakC0184snKCGxfSE>
Subject: [OAUTH-WG] OAuth 2.1: dropping password grant
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Feb 2020 20:37:56 -0000
Hey List (Once again using the OAuth 2.1 name as a placeholder for the doc that Aaron, Torsten, and I are working on) In the security topics doc https://tools.ietf.org/html/draft-ietf-oauth-security-topics-14#section-2.4 The password grant MUST not be used. Some background for those interested. I added this grant into OAuth 2.0 to allow applications that had been provided password to migrate. Even with the caveats in OAuth 2.0, implementors decide they want to prompt the user to enter their credentials, the anti-pattern OAuth was created to eliminate. Does anyone have concerns with dropping the password grant from the OAuth 2.1 document so that developers don't use it? /Dick
- [OAUTH-WG] OAuth 2.1: dropping password grant Dick Hardt
- Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping pas… Anthony Nadalin
- Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping pas… Dick Hardt
- Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping pas… Justin Richer
- Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping pas… Phillip Hunt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Aaron Parecki
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Hans Zandbelt
- Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping pas… Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Brock Allen
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Richard Backman, Annabelle
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Matthew De Haast
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Levi Schuck
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Richard Backman, Annabelle
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Justin Richer
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Richard Backman, Annabelle
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Phillip Hunt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Brian Campbell
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant William Denniss
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant William Denniss
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Aaron Parecki
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant lanerashaad80@gmail.com
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Nat Sakimura
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Dominick Baier
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Phillip Hunt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Justin Richer