IETF Logo Mail Archive

Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping password grant

Phillip Hunt <phil.hunt@independentid.com> Tue, 18 February 2020 21:28 UTC

Return-Path: <phil.hunt@independentid.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B6F512081A for <oauth@ietfa.amsl.com>; Tue, 18 Feb 2020 13:28:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=independentid-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id izD5vpJhTIp7 for <oauth@ietfa.amsl.com>; Tue, 18 Feb 2020 13:28:18 -0800 (PST)
Received: from mail-pg1-x532.google.com (mail-pg1-x532.google.com [IPv6:2607:f8b0:4864:20::532]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 660F51200C7 for <oauth@ietf.org>; Tue, 18 Feb 2020 13:28:18 -0800 (PST)
Received: by mail-pg1-x532.google.com with SMTP id v23so8177676pgk.2 for <oauth@ietf.org>; Tue, 18 Feb 2020 13:28:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=independentid-com.20150623.gappssmtp.com; s=20150623; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=UjB5v0lbks9GToXtLkAKFUG9j7ETBUKXQNp4xBqkZyU=; b=k7o0S9TkxNe5Rxh6CQDYy3gaxVl71s6MOxvrCt4/FgkPnLSqn41Br/BwHwAZTG+BGe gQeGDUEhyENiOynKavmx2EbQZHPfUumBKWC+s9NApGMc+ggGQw3GJQf0VlaIJAScrKjE U9yLtmqkFdTMEzLYd2VmDkOIS5JVzSt6R7/DFYXPCcP3O45mbB0TBBOI4VDxtYa8mECN DZTT5/srTif57ANXz29o+0+0jp9vh4ZSimLKG87ewGSkrX+wAWGOcKC1WHQenFuqPrLP 6tRoEklQa19If4ifluz6kuRBikZWCpvY164QIFQ94ztrAhM1AcWzN13PqQCCsIZkgSaK I7GA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=UjB5v0lbks9GToXtLkAKFUG9j7ETBUKXQNp4xBqkZyU=; b=WSon+MR2wUIbxfbOtm2+qgf5Lphx8tNkd+kyHXckkJE/dKkNsUmjK47LBO++wIO+Nb L9uuwWci5ZD3pFEpkPR8MxVmXXel39D5MMjHVOEYOBkqtBZdYqsqoZOFS5M7wzYItWDg kteWv9j/9lqxbhP91XNJ4STyYLpzKYJxiiolK0RmsTTmNl/bSLSalNd7THo4rTDg+bFA k2u4hWwAivE7aTKSLefoj0VR4x6blBb38b61laUn1bwTWcVubBLpMPanH2Hsdgw+YI7o Qh6vMnq+wemDoODhHjyLRYWFISvI9irOBAZfoUb3fb2wS+DCV3hTfriqvAmSQaJxz/Kv VARQ==
X-Gm-Message-State: APjAAAUMSuiQKxbg5kr7o8JV+1T5w9OCySa9lKbPGv1svfT1j6S/esfF fTtmXUR/Br5T8QGClbpk4ybdXg==
X-Google-Smtp-Source: APXvYqyx78dUrln1C6XpdUFuBGcH4TEo/yQAO+3cHLqHKCp+InYqG7Q2Jwxwm2hKnASAe7V9xXHkNg==
X-Received: by 2002:a63:3dc1:: with SMTP id k184mr24971964pga.103.1582061297568; Tue, 18 Feb 2020 13:28:17 -0800 (PST)
Received: from [10.229.71.220] ([24.244.23.42]) by smtp.gmail.com with ESMTPSA id 13sm5207209pfj.68.2020.02.18.13.28.16 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 18 Feb 2020 13:28:16 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail-F4CA26FB-E803-4925-9677-FAD8C6523EB4"
Content-Transfer-Encoding: 7bit
From: Phillip Hunt <phil.hunt@independentid.com>
Mime-Version: 1.0 (1.0)
Date: Tue, 18 Feb 2020 13:28:16 -0800
Message-Id: <666A031D-72D9-4AAF-8D43-811C2E749733@independentid.com>
References: <13A86ACE-3D9E-4FDF-9892-7A040DE5F4C6@mit.edu>
Cc: Anthony Nadalin <tonynad=40microsoft.com@dmarc.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
In-Reply-To: <13A86ACE-3D9E-4FDF-9892-7A040DE5F4C6@mit.edu>
To: Justin Richer <jricher@mit.edu>
X-Mailer: iPhone Mail (17C54)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/rl45-GVPuCcvtbE4xZhXCPIYjl0>
Subject: Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping password grant
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Feb 2020 21:28:21 -0000

I do recall password flow was only in 6749 to facilitate transition to oauth. Maybe it is reasonable to consider ending it now.

Phil

> On Feb 18, 2020, at 1:15 PM, Justin Richer <jricher@mit.edu> wrote:
> 
> There is no need for a grace period. People using OAuth 2.0 can still do OAuth 2.0. People using OAuth 2.1 will do OAuth 2.1. 
> 
>  — Justin
> 
>> On Feb 18, 2020, at 3:54 PM, Anthony Nadalin <tonynad=40microsoft.com@dmarc.ietf.org> wrote:
>> 
>> I would suggest a SHOULD NOT instead of MUST, there are still sites using this and a grace period should be provided before a MUST is pushed out as there are valid use cases out there still.
>>  
>> From: OAuth <oauth-bounces@ietf.org> On Behalf Of Dick Hardt
>> Sent: Tuesday, February 18, 2020 12:37 PM
>> To: oauth@ietf.org
>> Subject: [EXTERNAL] [OAUTH-WG] OAuth 2.1: dropping password grant
>>  
>> Hey List 
>>  
>> (Once again using the OAuth 2.1 name as a placeholder for the doc that Aaron, Torsten, and I are working on)
>>  
>> In the security topics doc
>>  
>> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-14#section-2.4
>>  
>> The password grant MUST not be used.
>>  
>> Some background for those interested. I added this grant into OAuth 2.0 to allow applications that had been provided password to migrate. Even with the caveats in OAuth 2.0, implementors decide they want to prompt the user to enter their credentials, the anti-pattern OAuth was created to eliminate. 
>>  
>>  
>> Does anyone have concerns with dropping the password grant from the OAuth 2.1 document so that developers don't use it?
>>  
>> /Dick
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email