username
Registry Context
`username` is a parameter defined for the OAuth 2.0 resource owner password credentials token request. RFC 6749 marks it REQUIRED in that request and defines its syntax as `*UNICODECHARNOCRLF`; RFC 9700 says the resource owner password credentials grant MUST NOT be used.
Technical Summary
RFC 6749 Section 4.3.2 defines `username` as the resource owner username parameter in the `grant_type=password` access token request. RFC 6749 Appendix A defines `username = *UNICODECHARNOCRLF`. RFC 9700 Section 2.4 updates current security guidance by prohibiting use of the resource owner password credentials grant.
When Used
In the resource owner password credentials grant token request, a grant type that RFC 9700 says MUST NOT be used.
Normative Requirements
Clients
RFC 6749 - Section 4.3.2
include the `username` parameter in the access token request.
Condition: when making a resource owner password credentials grant token request
username REQUIRED. The resource owner username.
Authorization servers
RFC 6749 - Section 4.3.2
protect the endpoint against brute force attacks.
Condition: because the access token request utilizes the resource owner's password
the authorization server MUST protect the endpoint against brute force attacks
Unspecified actor
RFC 9700 - Section 2.4
use the resource owner password credentials grant.
The resource owner password credentials grant [RFC6749] MUST NOT be used.
Validation Guidance
Reject resource owner password credentials token requests that omit `username`.
Validate `username` against the RFC 6749 ABNF `*UNICODECHARNOCRLF`; RFC 6749 defines this syntax but does not attach an uppercase BCP 14 requirement keyword to it.
Apply brute-force protection such as rate limiting or alerting to token endpoints that process resource owner password credentials requests.
Do not enable or accept the resource owner password credentials grant in implementations following OAuth 2.0 Security Best Current Practice.
Security Notes
RFC 6749 - Section 4.3.2
The `username` parameter is part of a request that also carries the resource owner password to the token endpoint.
RFC 9700 - Section 2.4
RFC 9700 prohibits the resource owner password credentials grant because it exposes resource owner credentials to the client, increases credential leakage risk, and trains users to enter credentials outside the authorization server.
Reference
Details
- Entry Id
username- Name
username- Parameter Usage Location
token request- Change Controller
IETF- Reference
RFC6749