foundation-API icon indicating copy to clipboard operation
foundation-API copied to clipboard

Published 20 hours ago verified publisher icon buildingSMART

Remove obsolete / insecure OAuth2 flows from this spec

Open GeorgDangl opened this issue 3 years ago • 1 comments

Here, we're listing two flows: https://github.com/buildingSMART/foundation-API#221-obtaining-authentication-information

  • implicit_grant, which has been effectively deprecated, or at least it's usage is heavily discouraged
  • resource_owner_password_credentials_grant, which never really was considered secure in scenarios where you did not control all services involved

This was brought up in the meeting today, and we should just remove it from the spec completely.

GeorgDangl avatar Jun 22 '21 14:06 GeorgDangl

Sep 25th 2023. See discussion on generalising OAUTH flows to avoid banning supported features on https://github.com/buildingSMART/foundation-API/issues/25 (same date).

ykulbak avatar Sep 25 '23 09:09 ykulbak