password
Registry Context
RFC 6749 defines `password` as a required token-request parameter carrying the resource owner's password in the resource owner password credentials grant. RFC 9700 now prohibits use of that grant.
Technical Summary
In the RFC 6749 password grant, `password` is included in the UTF-8 `application/x-www-form-urlencoded` token request body. The authorization server validates the supplied resource owner credentials and protects the endpoint against brute-force attacks. OAuth 2.0 Security BCP, RFC 9700, states that this grant MUST NOT be used.
When Used
Historically used in resource owner password credentials grant token requests. It must not be used under RFC 9700.
Normative Requirements
Clients
RFC 6749 - Section 4.3.1
Discard the resource owner credentials after obtaining an access token..
Condition: Once an access token has been obtained.
The client MUST discard the credentials once an access token has been obtained.
RFC 6749 - Section 4.3.2
Set `grant_type` to `password`..
Condition: When evaluating a resource owner password credentials grant request under RFC 6749.
Value MUST be set to "password".
RFC 6749 - Section 4.3.2
Authenticate with the authorization server as described in Section 3.2.1..
Condition: If the client is confidential, was issued client credentials, or was assigned other authentication requirements.
the client MUST authenticate with the authorization server as described in Section 3.2.1.
RFC 6749 - Section 4.3.2
Include the `password` parameter, containing the resource owner password, in the token endpoint request..
Condition: When evaluating a resource owner password credentials grant request under RFC 6749.
password REQUIRED. The resource owner password.
Authorization servers
RFC 6749 - Section 4.3.2
Require client authentication..
Condition: For confidential clients and clients issued credentials or assigned other authentication requirements.
The authorization server MUST: require client authentication for confidential clients
RFC 6749 - Section 4.3.2
Authenticate the client..
Condition: If client authentication is included.
The authorization server MUST: authenticate the client if client authentication is included
RFC 6749 - Section 4.3.2
Validate the resource owner password credentials using its existing password validation algorithm..
Condition: When processing the request under RFC 6749.
The authorization server MUST: validate the resource owner password credentials using its existing password validation algorithm.
RFC 6749 - Section 4.3.2
Protect the token endpoint against brute-force attacks..
Condition: When supporting resource owner password credential requests under RFC 6749.
the authorization server MUST protect the endpoint against brute force attacks
authorization server and client
RFC 6749 - Section 10.7
Minimize use of the resource owner password credentials grant and use other grant types whenever possible..
The authorization server and client SHOULD minimize use of this grant type and utilize other grant types whenever possible.
client and authorization server
RFC 9700 - Section 2.4
Use the resource owner password credentials grant..
The resource owner password credentials grant [RFC6749] MUST NOT be used.
Validation Guidance
Reject or disable use of the resource owner password credentials grant, including requests containing this grant's `password` parameter.
For historical RFC 6749 conformance analysis, verify that `password` is present and contains the resource owner password.
For historical RFC 6749 conformance analysis, verify that `grant_type` is `password`.
Verify that legacy request parameters use `application/x-www-form-urlencoded` with UTF-8 in the HTTP request entity body.
For historical RFC 6749 conformance analysis, require and verify client authentication when applicable.
Verify supplied resource owner credentials using the authorization server's existing password validation algorithm.
Apply brute-force protections such as rate limiting or alert generation if legacy support remains present.
Ensure the client discards resource owner credentials after obtaining an access token.
Flag any remaining use of this grant as contrary to both RFC 6749's recommendation and RFC 9700's prohibition.
Security Notes
RFC 6749 - Section 10.7
The grant exposes highly privileged resource owner credentials to the client and risks client abuse or unintended disclosure through logs or other records.
RFC 9700 - Section 2.4
RFC 9700 prohibits the grant because it increases the credential attack surface, trains users to enter credentials outside the authorization server, and cannot properly support many multi-step or cryptographic authentication methods.
Reference
Details
- Entry Id
password- Name
password- Parameter Usage Location
token request- Change Controller
IETF- Reference
RFC6749