As a replacement of RFC 6749 I am missing a "Direct Grant" with the same simplicity as the "Resource Owner Password Credentials" grant of RFC 6749.
The reason is that browser redirects are too complex and most of the time badly implemented by small teams. For the sake of having SMEs use oAuth 2.1 with their limited development capacities, I suggest keeping the simple "Resource Owner Password Credentials" with an OTP replacing the permanent password. We also have sample implementations working on the market with OTP based "Resource Owner Password Credentials" with full compatibility to RFC 6749. -- Francis Pouatcha Co-Founder and Technical Lead at adorys https://adorsys-platform.de/solutions/
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
