Resource Owner Credentials Flow with JavaScript and IdentityServer - Not Allowed?

Question

I have a JS website that tries to obtain an access token by passing the user name and password. I also maintain the auth server, so I consider the JS client as trusted. I am able to do this with ASP.net 4.5.x. but when I try to do the same to IdentityServer, I get invalid_client.

I'm now trying out ASP.net 5, and I believe the old OWIN middleware for acting as the identity provider is no longer going to be supported, and they are advocating IdentityServer for when we want to be the identity provider.

POST /connect/token HTTP/1.1
Host: localhost:59766
Content-Type: application/x-www-form-urlencoded

username=admin&password=pw&grant_type=password

I think the IdentityServer requires client information first, but that would mean I would have to expose client_secret on a web page (or native mobile app), which I believe is not allowed, per OAuth specs.

How do we turn off client requirement with IdentityServer?

On IdentityServer's github, I only see C# code that gathers client credentials plus user name and password to obtain an access token for resource owner credentials flow here. What is the equivalent raw HTTP request?

I personally don't care if another app were to try to impersonate my client. It's really the user's credentials that would allow access to anything anyway.

Note: if you're looking for OAuthAuthorizationServerMiddleware's equivalent in ASP.NET 5 (the OAuth2 authorization server in OWIN/Katana/Web API), you can give AspNet.Security.OpenIdConnect.Server a try: http://stackoverflow.com/questions/30768015/configure-the-authorization-server-endpoint/30857524#30857524. It supports the exact scenario you're trying to achieve, without requiring client authentication. — Kévin Chalet, Sep 24 '15 at 17:54
I tried that, but I can't seem to get the token generator to write the 3rd part of the JWT. I will ask this in a future question. — Mickael Caruso, Sep 24 '15 at 21:31

score 2 · Answer 1 · edited Oct 07 '21 at 11:02

2

In IdentityServer3, client authentication is mandatory: a token request cannot be validated if the client credentials are missing from the request, no matter which grant type you're using (authorization code, refresh token, resource owner password).

Of course, this is not really specs-compliant since client authentication is not needed for public applications like JS apps, but I guess this requirement is here to encourage you to use the implicit flow instead (https://www.rfc-editor.org/rfc/rfc6749#section-4.3.2)

If you really want to use ROPC with IdentityServer, you can flow the client credentials with the other OAuth2 parameters:

POST /connect/token HTTP/1.1
Host: localhost:59766
Content-Type: application/x-www-form-urlencoded

client_id=id&client_secret=not_secret_at_all&username=admin&password=pw&grant_type=password&scope=read+write

edited Oct 07 '21 at 11:02

Community

1
1

answered Sep 24 '15 at 17:50

Kévin Chalet

39,509
7
121
131

The above still doesn't work. I still get 400 with invalid_client. I set the client's flow to be resource owner. – Mickael Caruso Sep 25 '15 at 01:05
1

Make sure to also specify a "scope" parameter. I tried without an explicit scope and it indeed failed. – Kévin Chalet Sep 25 '15 at 21:48
Do you guys know a javascript library to use ROPC against identity server in the same way we use the oidc-client? – Carlos Torrecillas Jul 17 '20 at 16:28

Resource Owner Credentials Flow with JavaScript and IdentityServer - Not Allowed?

1 Answers1