If it is https you aren't sending the password unencrypted. You shouldn't be logging post params unfiltered. You should have a per user random salt you are hashing the password with, which would make it hard for you to hash it on the phone without making a separate call to lookup the salt for that user, which sounds worse than making sure it doesn't get logged.
Phones like the iPhone or Android cannot protect the client secret so using the password type means any client could mimic your trusted client and use the password grant type. On Sep 6, 2010, at 8:09 PM, Aaron Parecki <[email protected]> wrote: > Hi folks, > > I'm implementing OAuth 2 for my project (geoloqi.com) where I have some > mobile phone clients needing to authenticate. I'm using the "password" grant > type for these clients. Even though the call to the token endpoint is going > over HTTPS, I'm still slightly concerned about sending the user's password to > the server unencrypted. (I don't want the users' passwords to appear in my > debug log file for instance.) Does the spec allow for or have a way to extend > so that I can define a hashing algorithm the client can use to encrypt the > password before sending it? I'm already not storing the passwords in plain > text in the database anyway. Anybody else dealing with a similar issue? > > Aaron > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
