Secure Oauth 2.0 Resource Owner Password Credentials Grant Type

Question

In order to get an access token in resource owner password credentials grant type of OAuth 2.0, you need to POST something like

https://oauth.example.com/token?grant_type=password&username=USERNAME&password=PASSWORD&client_id=CLIENT_ID

I don't like posting a username and password in plaintext (additional layer of security), what are the recommended ways to deal with it given that we will use SSL?

I was thinking of getting a nonce first from the server and then use it to hash the username and password in the POST request.

Answer 1

A few things to note first:

1. the formal name of the grant type you describe is Resource Owner Password Credentials grant

2. the sample you present shows parameters as part of the query string, which is typically used with a HTTP GET request

3. a real POST would present the parameters in the HTTP body and when using SSL the parameters won't be accessible outside of both ends of the connection so in principle only visible to the sender and the receiver, which is fine for most use cases

The ROPC grant is defined by the OAuth specification and passes the user credentials as plaintext. Your suggestion is a (arguably relatively small) security improvement over that since it wouldn't pass any secrets verbatim but only the "proof of possession" of that secret.

Yet any modification to the existing flow would rely on support for a non-standard protocol feature on both the Client side and the Authorization Server side which is outside of the spec and as such can only be made to work when you control both sides.