Reputation: 62876
Why does OAuth 2 have Resource Owner Password Credentials Grant?
Why would anyone use OAuth 2 with this kind of grant? I mean, if the client already has the name and password of the Resource Owner, why not just authenticate as the Resource Owner using whatever authentication vehicle is used by the Resource Server?
I do not understand the rationale here. Can someone explain it?
Upvotes: 8
Views: 4228
Answers (2)
Reputation: 760
I will provide another point of view.
OAuth 2.0 is a great protocol for common web applications. Some applications, however, use much stronger authentication / authorization mechanism. For these cases, it makes sense to allow token establishment using a strong method. An example of such application can be a banking API - it can use classic OAuth 2.0 flow on web (using bank's website) and strong data signatures using protocols like PowerAuth 2.0 (I am an author of this solution) for native mobile or desktop apps.
Upvotes: 0
Reputation: 54088
As the spec mentions, the Resource Owner Password Credentials grant is for migration purposes and applicable only in scenario's where (typically) the Client and the Authorization Server are controlled by the same party, https://www.rfc-editor.org/rfc/rfc6749#section-1.3.3:
The resource owner password credentials (i.e., username and password) can be used directly as an authorization grant to obtain an access
token. The credentials should only be used when there is a high
degree of trust between the resource owner and the client (e.g., the
client is part of the device operating system or a highly privileged
application), and when other authorization grant types are not
available (such as an authorization code).
It allows for utilizing a standard token and protocol on the leg between Client and Resource server (e.g. OAuth 2.0 Bearer Token), whilst using a "to-be-deprecated" way of getting a token between Client and Authorization Server. https://www.rfc-editor.org/rfc/rfc6749#section-10.7:
The resource owner password credentials grant type is often used for
legacy or migration reasons. It reduces the overall risk of storing
usernames and passwords by the client but does not eliminate the need to expose highly privileged credentials to the client.This grant type carries a higher risk than other grant types because it maintains the password anti-pattern this protocol seeks to avoid. The client could abuse the password, or the password could unintentionally be disclosed to an attacker (e.g., via log files or other records kept by the client).
Additionally, because the resource owner does not have control over the authorization process (the resource owner's involvement ends when it hands over its credentials to the client), the client can obtain
access tokens with a broader scope than desired by the resource
owner. The authorization server should consider the scope and
lifetime of access tokens issued via this grant type.The authorization server and client SHOULD minimize use of this grant type and utilize other grant types whenever possible.
Upvotes: 8
Related Questions
- OAuth - What exactly is a resource owner? When is it not an end-user?
- Difference between the "Resource Owner Password Flow" and the "Client Credentials Flow"
- Difference between the “Resource Owner Password Flow” and the “Implicit grant”
- Is "Resource Owner Password Credentials" safe in OAuth2?
- What is the purpose of Resource Owner Password Credential Grant Type in OAuth 2.0?
- How can Resource Owner grant Client and do not give its information?
- OpenID Connect: Resource Owner Password Credentials
- Secure Oauth 2.0 Resource Owner Password Credentials Grant Type
- How the access grant goes in OAuth2 when Resource Owner is already single signed-in
- Are Client Credentials optional in the oAuth2 Resource Owner Password Credentials Grant flow?