I would suggest a SHOULD NOT instead of MUST, there are still sites using this and a grace period should be provided before a MUST is pushed out as there are valid use cases out there still.
From: OAuth <oauth-boun...@ietf.org> On Behalf Of Dick Hardt Sent: Tuesday, February 18, 2020 12:37 PM To: oauth@ietf.org Subject: [EXTERNAL] [OAUTH-WG] OAuth 2.1: dropping password grant Hey List (Once again using the OAuth 2.1 name as a placeholder for the doc that Aaron, Torsten, and I are working on) In the security topics doc https://tools.ietf.org/html/draft-ietf-oauth-security-topics-14#section-2.4<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-security-topics-14%23section-2.4&data=02%7C01%7Ctonynad%40microsoft.com%7C47bb597eef584c95ba4108d7b4b274b2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637176550905333283&sdata=nA1S7TBfZg6cSwY2hI8hpRXhIA2joaaJFmNXrATgr2Y%3D&reserved=0> The password grant MUST not be used. Some background for those interested. I added this grant into OAuth 2.0 to allow applications that had been provided password to migrate. Even with the caveats in OAuth 2.0, implementors decide they want to prompt the user to enter their credentials, the anti-pattern OAuth was created to eliminate. Does anyone have concerns with dropping the password grant from the OAuth 2.1 document so that developers don't use it? /Dick
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth