Hey List

(Once again using the OAuth 2.1 name as a placeholder for the doc that
Aaron, Torsten, and I are working on)

In the security topics doc

https://tools.ietf.org/html/draft-ietf-oauth-security-topics-14#section-2.4

The password grant MUST not be used.

Some background for those interested. I added this grant into OAuth 2.0 to
allow applications that had been provided password to migrate. Even with
the caveats in OAuth 2.0, implementors decide they want to prompt the user
to enter their credentials, the anti-pattern OAuth was created to
eliminate.


Does anyone have concerns with dropping the password grant from the OAuth
2.1 document so that developers don't use it?

/Dick
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to