I do recall password flow was only in 6749 to facilitate transition to oauth.. Maybe it is reasonable to consider ending it now.
Phil > On Feb 18, 2020, at 1:15 PM, Justin Richer <jric...@mit.edu> wrote: > > There is no need for a grace period. People using OAuth 2.0 can still do > OAuth 2.0. People using OAuth 2.1 will do OAuth 2.1. > > — Justin > >> On Feb 18, 2020, at 3:54 PM, Anthony Nadalin >> <tonynad=40microsoft....@dmarc.ietf.org> wrote: >> >> I would suggest a SHOULD NOT instead of MUST, there are still sites using >> this and a grace period should be provided before a MUST is pushed out as >> there are valid use cases out there still. >> >> From: OAuth <oauth-boun...@ietf.org> On Behalf Of Dick Hardt >> Sent: Tuesday, February 18, 2020 12:37 PM >> To: oauth@ietf.org >> Subject: [EXTERNAL] [OAUTH-WG] OAuth 2.1: dropping password grant >> >> Hey List >> >> (Once again using the OAuth 2.1 name as a placeholder for the doc that >> Aaron, Torsten, and I are working on) >> >> In the security topics doc >> >> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-14#section-2..4 >> >> The password grant MUST not be used. >> >> Some background for those interested. I added this grant into OAuth 2.0 to >> allow applications that had been provided password to migrate. Even with the >> caveats in OAuth 2.0, implementors decide they want to prompt the user to >> enter their credentials, the anti-pattern OAuth was created to eliminate. >> >> >> Does anyone have concerns with dropping the password grant from the OAuth >> 2.1 document so that developers don't use it? >> >> /Dick >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth