oauth2.dev

username

IETF

Registry Context

`username` is a parameter defined for the OAuth 2.0 resource owner password credentials token request. RFC 6749 marks it REQUIRED in that request and defines its syntax as `*UNICODECHARNOCRLF`; RFC 9700 says the resource owner password credentials grant MUST NOT be used.

Technical Summary

RFC 6749 Section 4.3.2 defines `username` as the resource owner username parameter in the `grant_type=password` access token request. RFC 6749 Appendix A defines `username = *UNICODECHARNOCRLF`. RFC 9700 Section 2.4 updates current security guidance by prohibiting use of the resource owner password credentials grant.

When Used

In the resource owner password credentials grant token request, a grant type that RFC 9700 says MUST NOT be used.

Normative Requirements

Clients

REQUIRED
1
  1. RFC 6749 - Section 4.3.2

    include the `username` parameter in the access token request.

    Condition: when making a resource owner password credentials grant token request

    username REQUIRED. The resource owner username.

Authorization servers

MUST
1
  1. RFC 6749 - Section 4.3.2

    protect the endpoint against brute force attacks.

    Condition: because the access token request utilizes the resource owner's password

    the authorization server MUST protect the endpoint against brute force attacks

Unspecified actor

MUST NOT
1
  1. RFC 9700 - Section 2.4

    use the resource owner password credentials grant.

    The resource owner password credentials grant [RFC6749] MUST NOT be used.

Validation Guidance

error

Reject resource owner password credentials token requests that omit `username`.

info

Validate `username` against the RFC 6749 ABNF `*UNICODECHARNOCRLF`; RFC 6749 defines this syntax but does not attach an uppercase BCP 14 requirement keyword to it.

error

Apply brute-force protection such as rate limiting or alerting to token endpoints that process resource owner password credentials requests.

error

Do not enable or accept the resource owner password credentials grant in implementations following OAuth 2.0 Security Best Current Practice.

Security Notes

RFC 6749 - Section 4.3.2

The `username` parameter is part of a request that also carries the resource owner password to the token endpoint.

RFC 9700 - Section 2.4

RFC 9700 prohibits the resource owner password credentials grant because it exposes resource owner credentials to the client, increases credential leakage risk, and trains users to enter credentials outside the authorization server.

Reference

Details

Entry Id
username
Name
username
Parameter Usage Location
token request
Change Controller
IETF
Reference
RFC6749