Contents
Should I use password Grant?
The Password grant type is a way to exchange a user’s credentials for an access token. Because the client application has to collect the user’s password and send it to the authorization server, it is not recommended that this grant be used at all anymore.
What is Grant_type password?
grant_type=password – This tells the server we’re using the Password grant type. username= – The user’s username that they entered in the application. password= – The user’s password that they entered in the application. client_id= – The public identifier of the application that the developer obtained during …
How does Microsoft identity support OAuth 2.0 resource owner password credentials?
The Microsoft identity platform supports the OAuth 2.0 Resource Owner Password Credentials (ROPC) grant, which allows an application to sign in the user by directly handling their password. This article describes how to program directly against the protocol in your application.
Is the resource owner password grant type suitable?
For further details on the downsides of the password grant type, checkout my other article: ” Why the Resource Owner Password Credentials Grant Type is not Authentication nor Suitable for Modern Applications “. Scott heads up IdentityServer development at Rock Solid Knowledge.
Is it a bad idea to use OAuth 2.0 for authentication?
Using OAuth 2.0 for authentication is really, really a bad idea… Problems arising from the use of OAuth 2.0 for authentication does not refer only to the implicit grant type, but also other types, including authorization code type. Lately, I have found an interesting vulnerability in Single Sign-On (SSO) authentication mechanism based on OAuth 2.0.
Is it safe to use password grant type?
The application could be trivially mimicked, and both the user and authorization server would have no way of knowing, allowing an attacker to harvest both user credentials and access tokens The only secure solution is to follow the best practices detailed by the OAuth working group in RFC8252.