We use Auth0 from October 2016. We have attached our application to your system that uses legacy grant_types (http://auth0.com/oauth/legacy/grant-type/ro). For newly created clients, I found a patch (Application Grant Types). Everything works reliably as before. We are creating 5-10 new clients every month.
- My question is how long will a legacy grant_types be maintained?
- Or, in other words, should we reprogram our application and did not use the legacy grant_types?
- Do you have an estimate of how long a legacy grant_types will exist?
- Do you have alternative options for authorization by name / password (similar to ‘http://auth0.com/oauth/legacy/grant-type/ro’)?
- Is there any reason not to use legacy grant_types?
(Q1) There is still not a definitive timeline for when legacy grants will stop being available/supported, but of course any dates when known will be communicated with sufficient time in advance. (Q2) Ideally you should not wait for the dates to be communicated because although you’ll have time to make the change after the communication of dates, moving immediately to non-legacy grants will possibly mean a better overall experience. Do have in mind that not all of the legacy grants already have equivalent non-legacy equivalents so check this table as a reference.
(Q3) See answer for Q1.
(Q4) Yes, for username/password authentication in a direct way (aka resource owner password credentials grant) you can use the
/oauth/token endpoint as the alternative for
/oauth/ro. Check the reference docs on information relevant to this.
(Q5) The reasons will be, in general, the ones associated with the notion of legacy. They are supported but will not receive new features, they may not exactly follow current standards in some situations, etc.