JohnB> I would have the client use the resource owner credentials flow if it has the password. Torsten> We use OIDC in conjunction with resource owner password credential grant for native apps (no 3rd party apps, just our own apps)
John/Torsten - Are you returning an id_token in the resource owner creds flow? Todd Lainhart Rational software IBM Corporation 550 King Street, Littleton, MA 01460-1250 1-978-899-4705 2-276-4705 (T/L) [email protected] From: John Bradley <[email protected]> To: Torsten Lodderstedt <[email protected]>, Cc: Todd W Lainhart/Lexington/IBM@IBMUS, "[email protected]" <[email protected]> Date: 10/26/2013 08:10 AM Subject: Re: Seeking guidance on the implementation of native/rich client flow I would have the client use the resource owner credentials flow if it has the password. If it is going to authenticate based on some other credential already in the browser then use the code flow. I would need to know more about the other credentials. I am assuming a desktop app if it is Eclipse based. John B. Sent from my iPhone On Oct 26, 2013, at 8:52 AM, Torsten Lodderstedt <[email protected]> wrote: We use OIDC in conjunction with resource owner password credential grant for native apps (no 3rd party apps, just our own apps) Todd W Lainhart <[email protected]> schrieb: I'm referencing http://openid.net/specs/openid-connect-core-1_0.html We have an Authorization Server that supports SSO via session extensions to OAuth 2.0. We're looking to replace that protocol w/ OIDC. There's a couple of sticky points that I'm not sure how to translate. 1) Rich/Native Client login Imagine an Eclipse-based rich client accepts user credentials and receives a bearer token in return. The negotiation may be basic, credentials-based, SPENGO. The client is anonymous. Rather than using the Resource Owner Password Credentials Grant (where username/password are REQUIRED parameters), we opted for a custom endpoint so that the AS could determine if the request was authenticated in the absence of username/password. Similar to Resource Owner Password Credentials Grant. I'm wondering what the guidance is for such a setup in OIDC. Implicit requires the native client to follow (presumably) 302s with the AS until it gets the final 302 to the callback location. Seems messy for this setup. In the absence of guidance/precedent, I'm inclined to think that a Resource Owner Password Credentials Grant style extension is the way to go for this scenario. Todd Lainhart Rational software IBM Corporation 550 King Street, Littleton, MA 01460-1250 1-978-899-4705 2-276-4705 (T/L) [email protected] specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
