Does OpenID Connect support the Resource Owner Password Credentials grant?

Asked 4/6, 2014 at 20:33 Answered 27/4, 2015 at 7:51

Solved oauth-2.0 openid thinktecture-ident-server openid-connect

I have been using OAuth resource owner credential flow previously for authorization.

However I would now like to consider using openid connect in pace of this, for authentication and authorization, and was wondering if the resource owner credential flow is supported in openid connect.

Optical answered 4/6, 2014 at 20:33 Comment(0)

Yes, OpenID Connect supports all OAuth 2.0 grant types including Resource Owner Password Credentials Grant and Client Credentials Grant.

As we know, Authorization Code Grant and Implicit Grant are typical 3-legged flows including interaction between a client, an authorization server and a user. While the Resource Owner Password Credential Grant and Client Credential Grant are 2-legged which means the client uses pre-authorized scopes so that no interaction with the user is necessary, removing the need to perform one of the legs in the typical flow.

Here is a reference: Configuring an OpenID Connect Provider to enable 2-legged OAuth requests

Pahlavi answered 5/6, 2014 at 2:58 Comment(4)

Do you know why? Any alternatives? – Ouidaouija 16/10, 2014 at 23:59

Does it return ID token in the response? because in my case it did not. – Thorvald 4/6, 2020 at 14:57

No, it does not. – Thorvald 5/6, 2020 at 9:50

Your URL is dead btw. Says no content found. – Demarcate 23/9, 2021 at 13:52

The answer is YES. It is not explicit in the specification but OpenID Connect supports all OAuth 2.0 flows since it is an extension of OAuth 2.0.

The spec talks about the flows that involve browser redirect as they are more common, more secure and less brittle given that resource owner credentials only supports username and password and is only in the OAuth 2 spec for backwards compatibility.

In true SSO systems you'd want to abstract away from the method of authenticating the user at the OP/IDP. Involving a browser is a way to do that. In the Resource Owner Password Credentials flow the client "sees" the username/password of the Resource Owner unlike the other flows, which defeats the primary purpose of a federated SSO protocol like OpenID Connect where authentication mechanisms and credentials should be independent from the client/app. For that reason you won't see much use of ROPC in OpenID Connect, with an exception perhaps in intra-enterprise use cases.

But your mileage may vary wrt. support in specific OP/AS software and client libraries.

Kester answered 30/12, 2014 at 23:57 Comment(1)

another way of looking at this: using Resource Owner Password Credentials grant type with OpenID Connect is functionally equivalent to using an LDAP bind + attr query; the latter is perhaps more universally supported across platforms – Kester 31/12, 2014 at 0:27

Yes. I also was finding answer for same question sometimes back. According to the OpenId Connect specification, It is recommended to use authorization code and implicit grant types for OpenId Connect requests. But it is not mentioned that other grant types can not be used. Therefore you can use any other grant types for OpenId Connect authentication request. There is some mail from the openid connect group, which has been discussed on this. Please find it from here. If your OAuth2 Authorization server supports it, I guess that it is fine to use it. As i know, most of the Authorization servers support it, as an example from here

Medullated answered 27/4, 2015 at 7:51 Comment(0)

Recommended topics

Hot tags