Another quick update, I have added support for password grants to the Known OAuth2 server.
Logging in using a username and password is exactly the sort of thing that OAuth2 was developed to avoid, however support for the password grant is a handy thing to have.
For a start, it makes it a lot easier to use the API via a command line application, or to present a familiar UX for people using a custom Known client (e.g. a mobile app).
Having password grant support will also allow us to deprecate the built in HTTP Header authentication method. This method is simple, and works well enough, but it is far from being a standard, and so requires people to write their own libraries to use it!
Using OAuth will also let those clients make use of OpenID connect, and the future federation stuff I hope to get time to build one of these days.
Anyway, hope this is useful to you!
This is just a quick post to nudge you towards a little plugin I wrote for Known which enforces a minimum password strength for user passwords.