On Mon, Feb 16, 2015 at 6:53 PM, Asela Pathberiya <[email protected]> wrote:
> Hi Prabath/Johann/IS Team, > > According to the openid-connect specification, It is stated that the > recommended approach for granting id_token is, by using code and > implicit grant types. But WSO2IS supports for password grant type as > well... I think it would be fine [1]. But, what are commendation for > selecting a grant types.... Is there any special reason for > implementing password grant type for openid-connect.... Are we > recommending the password grant type for openid-connect ... What are > the security consideration with it ? > > I just doubt that we may have mistakenly supported the password grant > type for openid-connect.. Because.. it seems to be we can retrieve > an id_token even for client credential grant type which seems to be > not correct..[2] ? > Current implementation seems whatever the grant type hits token end point with scope=openid we issue id_token that is why we missed Implicit grant type while including id_token token for all other grant types. > > [1] > http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20130128/002981.html > [2] https://wso2.org/jira/browse/IDENTITY-3055 > +1 for [2] since client credentials grant type has nothing to do with resource owner. > > Thanks, > Asela. > -- > Thanks & Regards, > Asela > > ATL > Mobile : +94 777 625 933 > +358 449 228 979 > -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: [email protected] Mobile: +94 (71) 8020933
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
