Skip to content

Commit

Permalink
docs: add deprecation to communicate ropc discouragement (#665)
Browse files Browse the repository at this point in the history 
This adds godoc deprecations to the compose.OAuth2ResourceOwnerPasswordCredentialsFactory and oauth2.ResourceOwnerPasswordCredentialsGrantHandler in order to clearly communicate the discouragement of the ROPC grant type to users implementing this library.
  • Loading branch information
@james-d-elliott
james-d-elliott authored Apr 17, 2022
1 parent 5035478 commit df491be
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 0 deletions.
4 changes: 4 additions & 0 deletions compose/compose_oauth2.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,10 @@ func OAuth2AuthorizeImplicitFactory(config *Config, storage interface{}, strateg

// OAuth2ResourceOwnerPasswordCredentialsFactory creates an OAuth2 resource owner password credentials grant handler and registers
// an access token, refresh token and authorize code validator.
//
// Deprecated: This factory is deprecated as a means to communicate that the ROPC grant type is widely discouraged and
// is at the time of this writing going to be omitted in the OAuth 2.1 spec. For more information on why this grant type
// is discouraged see: https://www.scottbrady91.com/oauth/why-the-resource-owner-password-credentials-grant-type-is-not-authentication-nor-suitable-for-modern-applications
func OAuth2ResourceOwnerPasswordCredentialsFactory(config *Config, storage interface{}, strategy interface{}) interface{} {
return &oauth2.ResourceOwnerPasswordCredentialsGrantHandler{
ResourceOwnerPasswordCredentialsGrantStorage: storage.(oauth2.ResourceOwnerPasswordCredentialsGrantStorage),
Expand Down
3 changes: 3 additions & 0 deletions handler/oauth2/flow_resource_owner.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,9 @@ import (
"github.com/ory/fosite"
)

// Deprecated: This handler is deprecated as a means to communicate that the ROPC grant type is widely discouraged and
// is at the time of this writing going to be omitted in the OAuth 2.1 spec. For more information on why this grant type
// is discouraged see: https://www.scottbrady91.com/oauth/why-the-resource-owner-password-credentials-grant-type-is-not-authentication-nor-suitable-for-modern-applications
type ResourceOwnerPasswordCredentialsGrantHandler struct {
// ResourceOwnerPasswordCredentialsGrantStorage is used to persist session data across requests.
ResourceOwnerPasswordCredentialsGrantStorage ResourceOwnerPasswordCredentialsGrantStorage
Expand Down

0 comments on commit df491be

Please sign in to comment.