Drop Support for Resource Owner Credentials Grant

[theadell]

trafficstars

Based on the draft specification for OAuth 2.1 (1.8. Compatibility with OAuth 2.0) the future of OAuth will no longer support both the Implicit flow and the Resource Owner Credentials grant.

The draft specifically mentions "some features available in OAuth 2.0, such as the Implicit or Resource Owner Credentials grant types, are not specified in OAuth 2.1".

In light of this, and considering that the oidc-client-ts has already dropped support for the Implicit grant, I believe it's time to also reconsider the Resource Owner Credentials grant.

Further to this point, the draft specification for OAuth 2.0 for Browser-Based Apps explicitly prohibits the use of the Resource Owner Password Credentials Grant, and it instructs Authorization servers to not support it for browser-based clients.

"The Resource Owner Password Credentials Grant MUST NOT be used...the Resource Owner Password Credentials Grant does not provide any built-in mechanism for these, and would instead need to be extended with custom code"

Moreover, the OAuth 2.0 Security Best Current Practice draft also strongly advises against using the Resource Owner Password Credentials Grant, citing several security risks:

"The resource owner password credentials grant [RFC6749] MUST NOT be used. This grant type insecurely exposes the credentials of the resource owner to the client...adapting the resource owner password credentials grant to two-factor authentication, authentication with cryptographic credentials (cf. WebCrypto [WebCrypto], WebAuthn [WebAuthn]), and authentication processes that require multiple steps can be hard or impossible."

In view of all these concerns, it seems clear that there are no viable scenarios where using the Resource Owner Credentials grant would be the best choice. Therefore, I propose to drop the support for the Resource Owner Credentials grant aligning the library with OAuth 2.1.

I look forward to hearing your feedback on this suggestion.