During Daniel's security BCP presentation yesterday, I commented that although I support deprecating ROPG, I also believe we should acknowledge scenarios where U/P use is unavoidable and give clear actionable guidance to developers. Daniel observed that not every scenario is prone to be addressed via OAuth2, and invited me to suggest some language to add to https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-3.4 clarifying that. Here's the proposed language:
Please note: there are scenarios, such as legacy script languages, apps > using connections strings and similar, where the direct use of username and > password is required to maintain backward compatibility. Addressing those > scenarios is outside of the scope of the OAuth2 authorization framework. As a side note: I worry a bit that giving explicit license to people to ignore OAuth2 for that particular scenario might provide a bit of slippery slope/broken window effect where developers won't use standard solutions in other scenarios as well. At the same time, if we don;t want to tackle that particular class of scenarios, I think it's fair of us to be explicit about it.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
