Another quick update, I have added support for password grants to the Known OAuth2 server.

Logging in using a username and password is exactly the sort of thing that OAuth2 was developed to avoid, however support for the password grant is a handy thing to have.

For a start, it makes it a lot easier to use the API via a command line application, or to present a familiar UX for people using a custom Known client (e.g. a mobile app).

Having password grant support will also allow us to deprecate the built in HTTP Header authentication method. This method is simple, and works well enough, but it is far from being a standard, and so requires people to write their own libraries to use it!

Using OAuth will also let those clients make use of OpenID connect, and the future federation stuff I hope to get time to build one of these days.

Anyway, hope this is useful to you!

» Visit the project on Github...

This is just a quick post to nudge you towards a little plugin I wrote for Known which enforces a minimum password strength for user passwords.

The plugin works by calculating the entropy of the password based on NIST recommendations, and rejecting passwords where the entropy is too low.

By default, the minimum entropy is 44, however this can be changed through a configuration setting.

For this plugin to work, until my pull request is merged into the core code, you’ll need to apply patches available from my password validation branch.

Anyway, give it a kick about!

» Visit the project on Github...

Image “Password Strength” by XKCD