All geek questions in one place

OpenID Connect: Resource Owner Credentials

OIDC does not support the resource grant of the resource owner. What for? Some of my clients are secure devices that can securely support credentials ... These credentials can be used to obtain access_token. Can I use OpenID Connect?

+6
source share
3 answers

It is not explicit in the specification, but OpenID Connect supports all OAuth 2.0 streams, as it is an extension of OAuth 2.0.

The specification talks about streams that include browser redirection, as they are more common, more secure and less fragile, given that the credentials of the resource owner only support username and password and only in the OAuth 2 specification for backward compatibility. On true single sign-on systems, you want to take your mind off the user authentication method in OP / IDP. The way you use the browser is the way to do it.

But your mileage may vary. support in specific OP / AS programs and client libraries.

FWIW: you should look for id_token, not access_token.

+5
source

OpenID Connect performs authentication to log in to the end user or to determine that the end user is already logged in. OpenID Connect returns the result of the authentication performed by the server for the Client in a safe manner so that the Client can rely on it.

With implicit and authorization codes, type stream types cannot issue an ID token if the end user is not logged in. In this case, the authorization server can confirm the relying party that the end user registers with. But with a flow such as a grant from the resource owner, the authorization server cannot confirm that the end user is registered. You can issue an access token even if the end user is not logged in.

+1
source

Yes. I also sometimes found the answer to the same question. According to the OpenId Connect specification, it is recommended that you use the authorization code and implicit presentation types for OpenId Connect requests. But it is not mentioned that other types of grants cannot be used. Therefore, you can use any other types of grants to request OpenId Connect authentication. There is some mail from the openid connect group that has been discussed on this issue. Please find here . If your OAuth2 authorization server supports it, I think using it is good. As I know, most authorization servers support it, as an example from here

-1
source

Source: https://habr.com/ru/post/977966/

More articles:


All Articles