The security topics says MUST. If you want to change that, then that is a different discussion. :)
In the OAuth 2.1 document, it would just not be included. Applications can continue to be OAuth 2.0 compliant. BUT ... if there are valid, new use cases. Please describe them! Perhaps it should not be dropped. On Tue, Feb 18, 2020 at 12:54 PM Anthony Nadalin <tony...@microsoft.com> wrote: > I would suggest a SHOULD NOT instead of MUST, there are still sites using > this and a grace period should be provided before a MUST is pushed out as > there are valid use cases out there still. > > > > *From:* OAuth <oauth-boun...@ietf.org> *On Behalf Of * Dick Hardt > *Sent:* Tuesday, February 18, 2020 12:37 PM > *To:* oauth@ietf.org > *Subject:* [EXTERNAL] [OAUTH-WG] OAuth 2.1: dropping password grant > > > > Hey List > > > > (Once again using the OAuth 2.1 name as a placeholder for the doc that > Aaron, Torsten, and I are working on) > > > > In the security topics doc > > > > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-14#section-2..4 > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-security-topics-14%23section-2.4&data=02%7C01%7Ctonynad%40microsoft.com%7C47bb597eef584c95ba4108d7b4b274b2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637176550905333283&sdata=nA1S7TBfZg6cSwY2hI8hpRXhIA2joaaJFmNXrATgr2Y%3D&reserved=0> > > > > The password grant MUST not be used. > > > > Some background for those interested. I added this grant into OAuth 2.0 to > allow applications that had been provided password to migrate. Even with > the caveats in OAuth 2.0, implementors decide they want to prompt the user > to enter their credentials, the anti-pattern OAuth was created to > eliminate. > > > > > > Does anyone have concerns with dropping the password grant from the OAuth > 2.1 document so that developers don't use it? > > > > /Dick >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
