Tony: are you ok with dropping password grant? You reference valid use cases. If you think it should continue, would you provide the use cases?
ᐧ On Tue, Feb 18, 2020 at 12:57 PM Dick Hardt <[email protected]> wrote: > The security topics says MUST. If you want to change that, then that is a > different discussion. :) > > In the OAuth 2.1 document, it would just not be included. Applications can > continue to be OAuth 2.0 compliant. > > BUT ... if there are valid, new use cases. Please describe them! Perhaps > it should not be dropped. > > > On Tue, Feb 18, 2020 at 12:54 PM Anthony Nadalin <[email protected]> > wrote: > >> I would suggest a SHOULD NOT instead of MUST, there are still sites using >> this and a grace period should be provided before a MUST is pushed out as >> there are valid use cases out there still. >> >> >> >> *From:* OAuth <[email protected]> *On Behalf Of * Dick Hardt >> *Sent:* Tuesday, February 18, 2020 12:37 PM >> *To:* [email protected] >> *Subject:* [EXTERNAL] [OAUTH-WG] OAuth 2.1: dropping password grant >> >> >> >> Hey List >> >> >> >> (Once again using the OAuth 2.1 name as a placeholder for the doc that >> Aaron, Torsten, and I are working on) >> >> >> >> In the security topics doc >> >> >> >> >> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-14#section-2.4 >> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-security-topics-14%23section-2.4&data=02%7C01%7Ctonynad%40microsoft.com%7C47bb597eef584c95ba4108d7b4b274b2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637176550905333283&sdata=nA1S7TBfZg6cSwY2hI8hpRXhIA2joaaJFmNXrATgr2Y%3D&reserved=0> >> >> >> >> The password grant MUST not be used. >> >> >> >> Some background for those interested. I added this grant into OAuth 2.0 >> to allow applications that had been provided password to migrate. Even with >> the caveats in OAuth 2.0, implementors decide they want to prompt the user >> to enter their credentials, the anti-pattern OAuth was created to >> eliminate. >> >> >> >> >> >> Does anyone have concerns with dropping the password grant from the OAuth >> 2.1 document so that developers don't use it? >> >> >> >> /Dick >> >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
