Scenario:
User says that password reset email doesn’t arrive in his mailbox. We’ve decided to allow him to update his password directly in our website. We need to validate that he knows his current_password, and request a new_password.
Question
The passwordless authenticate user api endpoint is deprecated /oauth/ro [1].
How can I validate through the API the user’s current password?
Why was the /oauth/ro API deprecated? Is it not secure? In what scenario is itnot secure?
As mentioned in the API explorer entry for /oauth/ro that endpoint was replaced by resource owner password credentials grant available at /oauth/tokenendpoint and which complies to the applicable specifications; the /ro endpoint has some issues with specification compliance and as such as been superseded. The /token endpoint would also accept the current password and email/username as means to exchange it for tokens which would only happen if the credentials are valid.