Hi Prabath/Johann/IS Team, According to the openid-connect specification, It is stated that the recommended approach for granting id_token is, by using code and implicit grant types. But WSO2IS supports for password grant type as well... I think it would be fine [1]. But, what are commendation for selecting a grant types.... Is there any special reason for implementing password grant type for openid-connect.... Are we recommending the password grant type for openid-connect ... What are the security consideration with it ?
I just doubt that we may have mistakenly supported the password grant type for openid-connect.. Because.. it seems to be we can retrieve an id_token even for client credential grant type which seems to be not correct..[2] ? [1] http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20130128/002981.html [2] https://wso2.org/jira/browse/IDENTITY-3055 Thanks, Asela. -- Thanks & Regards, Asela ATL Mobile : +94 777 625 933 +358 449 228 979 _______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
