Is it possible to add user/password in the rest api header or as query params when implementing the openID connect

Question

Is it possible to add user/password in the rest api header or as query params when implementing the openID connect?

I have just finished a rest api that is implementing authorization code flow open id connect, so it's working fine, when I hit the api URL, it redirects me to the server, there I pass user/password and after validation I am getting the response.

My doubt is, is this possible that I pass user/password in the rest api header or as query params, so that it doesn't redirects me to the login page, but directly takes me to the api response.

Answer 1

Sending username/password in query parameter is not recommended. This holds even when you have HTTPS enabled (where query parameters will be encrypted in the line). Why ? , please check this answer which fully explain the reason. It's a security vulnerability so do not use that approach.

Also, ideally OpenID Conenct does not accept client credentials from authorization request. So using HTTP headers won't be suitable either.

But if you are using OAuth 2.0, it provide a specific flow which can be used with special kind of clients. Resource Owner Password Credentials Grant allows you to request tokens from token endpoint against end user credentials. May be you want this approach due to the nature of your application.