n2ygk
commented
2 years ago Good question. We should deprecate/remove this as we did for oob. Think of 2.0.0 as the start of getting to the OAuth 2 BCP/OAuth 2.1.
Open ioniconline opened 2 years ago
n2ygk
commented
2 years ago Good question. We should deprecate/remove this as we did for oob. Think of 2.0.0 as the start of getting to the OAuth 2 BCP/OAuth 2.1.
dopry
commented
1 year ago @ioniconline yes this feature is still available as it is part of the OAuth spec, even though it isn't best practice.
@n2ygk I feel like we should modify the docs and help text to clearly mark this is not a best practice, but I don't feel we can remove it and still claim standards compliance for a wider audience or adversely impact people who are using it for first party auth or other legacy reasons in their infrastructure. Do we want to spin up a separate task for this work or update the OP with some implementation direction?
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-13#section-3.4
3.4. Resource Owner Password Credentials Grant
The resource owner password credentials grant MUST NOT be used. This grant type insecurely exposes the credentials of the resource owner to the client. Even if the client is benign, this results in an increased attack surface (credentials can leak in more places than just the AS) and users are trained to enter their credentials in places other than the AS.
Furthermore, adapting the resource owner password credentials grant to two-factor authentication, authentication with cryptographic credentials, and authentication processes that require multiple steps can be hard or impossible (WebCrypto, WebAuthn).