0

For my application I plan on using oauth2 Resource Owner Password Credential Grant with OIDC server.
So I think I'm a little confused re the flow.
So as I understand this - Im supposed to get back the id_token along with access token as when we use Password grant we skip the authorization step - am I understanding it correctly?

Most examples online seems to be referring to getting id_token along with a authorize request, not access token request... plz help.

Edit: I would appreciate constructive criticism instead of just down-votes.

Dannyboy
  • 1,963
  • 3
  • 20
  • 37

1 Answers1

0

Resource Owner Password Credential Grant (ROPCG) is a grant type defined in the OAuth 2.0 framework. And id token is defined by OpenID Connect protocol (OIDC). OIDC is an extension (built on top of) OAuth 2.0, so it inherit most of the things from OAuth 2.0

If you check OAuth 2.0 spec., you will see that ROPCG skips authorization request. This is done as end user (resource owner)grant obtaining now through client application itself (for auth. code flow or implicit flow, this is done by Auth server). So token are directly obtained through token endpoint of the authorization server. So yes, it skips authorization step, but client perform end user grant obtaining.

Well now to id token with ROPCG grant. This depends on identity provider you are using. Though OIDC spec does not mention ROPCG flow, identity providers can still issue id tokens with token response. This is allowed by OAuth 2.0 specification as well. So if your identity provider (authorization server) support this, then you can obtain id token from token response.

Community
  • 1
  • 1
Kavindu Dodanduwa
  • 12,193
  • 3
  • 33
  • 46
  • Also check about OIDC compatibility explained in this answer too - https://stackoverflow.com/questions/24047047/does-openid-connect-support-the-resource-owner-password-credentials-grant – Kavindu Dodanduwa Jun 05 '18 at 15:43