On 2020-05-10 10:20 a.m., Aaron Parecki wrote: > Hi Beena, > > This sounds like a great use of the client credentials grant. The > password grant is being removed from OAuth 2.0 by the Security Best > Current Practice. Can you clarify what you've found useful about the > password grant that the client credentials grant doesn't solve?
One nice benefit of the password grant, is that client_id is a nice, general way to trace what application did the log in. Handy for audit logs and if we ever find a security issue we could hypothetically invalidate all passwords used by the client_id that introduced the issue. The alternative is to introduce a custom parameter, but this is unlikely to work easily with existing OAuth2 implementations. So, I will miss "password". Evert _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
