Re: [OAUTH-WG] OAuth 2.1: dropping password grant
Neil Madden <neil.madden@forgerock.com> Mon, 24 February 2020 14:49 UTC
Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A9BE3A0C99 for <oauth@ietfa.amsl.com>; Mon, 24 Feb 2020 06:49:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HDiOirQRuRlt for <oauth@ietfa.amsl.com>; Mon, 24 Feb 2020 06:49:10 -0800 (PST)
Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 566793A0C96 for <oauth@ietf.org>; Mon, 24 Feb 2020 06:49:09 -0800 (PST)
Received: by mail-wm1-x32c.google.com with SMTP id a9so9702828wmj.3 for <oauth@ietf.org>; Mon, 24 Feb 2020 06:49:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=8sN2840a0f2PLOPYvaMiKdOoUxoA8aCUKtlfur0MKhE=; b=VxVXXm/20uj6UCh4WQn8PUS6dXhsJ4TmI9koALG1dzz5KjJXZCL7SSkYAYIaKW8BnV xCUFWE8Wi/GohnTFL7eLroCp3HqFZI+Pw5jzTjseNNFjUS7DS/qY6I0PTZle6TdxZl5C mtRH6ZQSiJ/RQmOt7NbELJmBsqyx4fPqlDOJI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=8sN2840a0f2PLOPYvaMiKdOoUxoA8aCUKtlfur0MKhE=; b=JjglHKP5ZMpn9yzYwjKlQnCGAGNFfpxI+kr6Q37T73iK01qMYBdqd2SMHbfQp5UGXJ PiReM1liIH/TRxJM1O7CmWXYTB8Rbw4XAYlBT9MvjCEMIDQSJRrQyhRoj3eSHZTEPAg7 a+s36rqDxAMOMG/3Y/w6gtJnvLdYcAFICpDLDTW2Pvb9jEwMATmrc5SLK4dlRJjEKgb9 LTVp5QjNbFX0HW+PZ8uFz37Rk56LICtnxNYf+pKswaF5csTt2tAp0EWjoE+1kLbzL+Th pucw0POc9UOv32NsjlfnjuXgF/EQqS0XWgGBnCN3zNK+ryvxnNqAFHFSn2GhOF+dgwag ZPww==
X-Gm-Message-State: APjAAAUsJJmFe6CcWikWPTa5xqnPvqeyH48pV8TFgKGLmqToZSxc7Nlz f4m1Mo97e08AmbPBnI9e4zcwnA==
X-Google-Smtp-Source: APXvYqwSKPW5L0wE5Xtd0Y90yGE9cQeph8OBawqrPpZh5RrSgMfepdh1anJcsR0dOnuCBpX/iOUZYA==
X-Received: by 2002:a1c:6a16:: with SMTP id f22mr21959212wmc.53.1582555747198; Mon, 24 Feb 2020 06:49:07 -0800 (PST)
Received: from zaphod.home.gateway (77-44-110-214.xdsl.murphx.net. [77.44.110.214]) by smtp.gmail.com with ESMTPSA id p15sm17982231wma.40.2020.02.24.06.49.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 24 Feb 2020 06:49:05 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
From: Neil Madden <neil.madden@forgerock.com>
In-Reply-To: <CAD9ie-t4-V1OFrq-LPwCyd4ccxXNzDFG8Vs4j6-9HfikhcSG2w@mail.gmail.com>
Date: Mon, 24 Feb 2020 14:49:04 +0000
Cc: "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>, Matthew De Haast <matt=40coil.com@dmarc.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <CD71A751-C929-4698-9D1E-B107F6CD0D76@forgerock.com>
References: <3A39A586-7ABE-4CA2-BAE0-ED3FD197C4BB@forgerock.com> <7C28AD9B-428E-4FB3-B41A-E707D0C1A296@lodderstedt.net> <E37187C7-9DD0-4C3B-990D-55CB8C39BD21@forgerock.com> <CAD9ie-trV02ifD8HU1JQ-FDS0=eLnikM7SWfd1hSHkn5_3m03Q@mail.gmail.com> <649A1EF4-EB80-4FB0-82D4-4F6E3535F774@forgerock.com> <CANsTMfEAoOa6ts8xPc5eZi+D09EOC11-07uUq9R5gD425EbUJg@mail.gmail.com> <9D8B2697-7B09-4CB1-9000-524AACB36D67@forgerock.com> <0C4103FE-12A1-4CB2-8D07-3CEF7D3B4340@lodderstedt.net> <3E680750-FDA1-4513-A2FE-B3E900EBE806@forgerock.com> <55991949-9B1A-44E1-B412-1BB8EAEA4A43@lodderstedt.net> <AAE487F7-776C-472B-B6DF-CB60D434F95A@forgerock.com> <6AFD3B88-CEE5-4857-845D-A866DF5C3DFE@amazon.com> <09C67C29-74D0-4723-826B-17698F566669@forgerock.com> <39B732FC-3401-4003-BDE6-9A3678D96CAD@amazon.com> <CAD9ie-t4-V1OFrq-LPwCyd4ccxXNzDFG8Vs4j6-9HfikhcSG2w@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/wySPxgE-O-P1wTdYkZtMmnjisWg>
Subject: Re: [OAUTH-WG] OAuth 2.1: dropping password grant
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Feb 2020 14:49:13 -0000
Well, kinda. People can still theoretically use OAuth 1 too, but the world has moved on - software has dropped support for it, websites don’t support it, and so on. I’m a bit confused about what OAuth 2.1 is intended to be. If it’s not a new version of OAuth (“obsoletes” the old RFC), then is not just another BCP? If it is a new version and it removes grant types (OAuth 3.0?) then that effectively has the same impact as removing them from OAuth 2.0, unless we’re envisioning some way for a client to negotiate version 2.0 support from an AS? — Neil > On 22 Feb 2020, at 01:41, Dick Hardt <dick.hardt@gmail.com> wrote: > > I'm a little confused on where this thread is going. If we take ROPC out of OAuth 2.1 then: > > 1) Existing deployments can keep using ROPC - why break it if it is working. > > 2) New deployments can use ROPC and be OAuth 2.0 compliant. > > 3) New deployments that don't need ROPC can be OAuth 2.1 compliant
- [OAUTH-WG] OAuth 2.1: dropping password grant Dick Hardt
- Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping pas… Anthony Nadalin
- Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping pas… Dick Hardt
- Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping pas… Justin Richer
- Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping pas… Phillip Hunt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Aaron Parecki
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Hans Zandbelt
- Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping pas… Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Brock Allen
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Richard Backman, Annabelle
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Matthew De Haast
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Levi Schuck
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Richard Backman, Annabelle
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Justin Richer
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Richard Backman, Annabelle
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Phillip Hunt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Brian Campbell
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant William Denniss
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant William Denniss
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Aaron Parecki
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant lanerashaad80@gmail.com
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Neil Madden
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Nat Sakimura
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Dominick Baier
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Phillip Hunt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1: dropping password grant Justin Richer