oauth2.dev

password

IETF

Registry Context

RFC 6749 defines `password` as a required token-request parameter carrying the resource owner's password in the resource owner password credentials grant. RFC 9700 now prohibits use of that grant.

Technical Summary

In the RFC 6749 password grant, `password` is included in the UTF-8 `application/x-www-form-urlencoded` token request body. The authorization server validates the supplied resource owner credentials and protects the endpoint against brute-force attacks. OAuth 2.0 Security BCP, RFC 9700, states that this grant MUST NOT be used.

When Used

Historically used in resource owner password credentials grant token requests. It must not be used under RFC 9700.

Normative Requirements

Clients

MUST
3
  1. RFC 6749 - Section 4.3.1

    Discard the resource owner credentials after obtaining an access token..

    Condition: Once an access token has been obtained.

    The client MUST discard the credentials once an access token has been obtained.

  2. RFC 6749 - Section 4.3.2

    Set `grant_type` to `password`..

    Condition: When evaluating a resource owner password credentials grant request under RFC 6749.

    Value MUST be set to "password".

  3. RFC 6749 - Section 4.3.2

    Authenticate with the authorization server as described in Section 3.2.1..

    Condition: If the client is confidential, was issued client credentials, or was assigned other authentication requirements.

    the client MUST authenticate with the authorization server as described in Section 3.2.1.

REQUIRED
1
  1. RFC 6749 - Section 4.3.2

    Include the `password` parameter, containing the resource owner password, in the token endpoint request..

    Condition: When evaluating a resource owner password credentials grant request under RFC 6749.

    password REQUIRED. The resource owner password.

Authorization servers

MUST
4
  1. RFC 6749 - Section 4.3.2

    Require client authentication..

    Condition: For confidential clients and clients issued credentials or assigned other authentication requirements.

    The authorization server MUST: require client authentication for confidential clients

  2. RFC 6749 - Section 4.3.2

    Authenticate the client..

    Condition: If client authentication is included.

    The authorization server MUST: authenticate the client if client authentication is included

  3. RFC 6749 - Section 4.3.2

    Validate the resource owner password credentials using its existing password validation algorithm..

    Condition: When processing the request under RFC 6749.

    The authorization server MUST: validate the resource owner password credentials using its existing password validation algorithm.

  4. RFC 6749 - Section 4.3.2

    Protect the token endpoint against brute-force attacks..

    Condition: When supporting resource owner password credential requests under RFC 6749.

    the authorization server MUST protect the endpoint against brute force attacks

authorization server and client

SHOULD
1
  1. RFC 6749 - Section 10.7

    Minimize use of the resource owner password credentials grant and use other grant types whenever possible..

    The authorization server and client SHOULD minimize use of this grant type and utilize other grant types whenever possible.

client and authorization server

MUST NOT
1
  1. RFC 9700 - Section 2.4

    Use the resource owner password credentials grant..

    The resource owner password credentials grant [RFC6749] MUST NOT be used.

Validation Guidance

error

Reject or disable use of the resource owner password credentials grant, including requests containing this grant's `password` parameter.

error

For historical RFC 6749 conformance analysis, verify that `password` is present and contains the resource owner password.

error

For historical RFC 6749 conformance analysis, verify that `grant_type` is `password`.

error

Verify that legacy request parameters use `application/x-www-form-urlencoded` with UTF-8 in the HTTP request entity body.

error

For historical RFC 6749 conformance analysis, require and verify client authentication when applicable.

error

Verify supplied resource owner credentials using the authorization server's existing password validation algorithm.

error

Apply brute-force protections such as rate limiting or alert generation if legacy support remains present.

error

Ensure the client discards resource owner credentials after obtaining an access token.

warning

Flag any remaining use of this grant as contrary to both RFC 6749's recommendation and RFC 9700's prohibition.

Security Notes

RFC 6749 - Section 10.7

The grant exposes highly privileged resource owner credentials to the client and risks client abuse or unintended disclosure through logs or other records.

RFC 9700 - Section 2.4

RFC 9700 prohibits the grant because it increases the credential attack surface, trains users to enter credentials outside the authorization server, and cannot properly support many multi-step or cryptographic authentication methods.

Reference

Details

Entry Id
password
Name
password
Parameter Usage Location
token request
Change Controller
IETF
Reference
RFC6749