We use OIDC in conjunction with resource owner password credential grant for native apps (no 3rd party apps, just our own apps)
Todd W Lainhart <lainh...@us.ibm.com> schrieb: >I'm referencing http://openid.net/specs/openid-connect-core-1_0.html > >We have an Authorization Server that supports SSO via session >extensions >to OAuth 2.0. We're looking to replace that protocol w/ OIDC. There's >a >couple of sticky points that I'm not sure how to translate. > >1) Rich/Native Client login > >Imagine an Eclipse-based rich client accepts user credentials and >receives >a bearer token in return. The negotiation may be basic, >credentials-based, SPENGO. The client is anonymous. Rather than using > >the Resource Owner Password Credentials Grant (where username/password >are >REQUIRED parameters), we opted for a custom endpoint so that the AS >could >determine if the request was authenticated in the absence of >username/password. Similar to Resource Owner Password Credentials >Grant. > >I'm wondering what the guidance is for such a setup in OIDC. Implicit >requires the native client to follow (presumably) 302s with the AS >until >it gets the final 302 to the callback location. Seems messy for this >setup. > >In the absence of guidance/precedent, I'm inclined to think that a >Resource Owner Password Credentials Grant style extension is the way to >go >for this scenario. > > > > > >Todd Lainhart >Rational software >IBM Corporation >550 King Street, Littleton, MA 01460-1250 >1-978-899-4705 >2-276-4705 (T/L) >lainh...@us.ibm.com > > >------------------------------------------------------------------------ > >_______________________________________________ >specs mailing list >sp...@lists.openid.net >http://lists.openid.net/mailman/listinfo/openid-specs
_______________________________________________ specs mailing list sp...@lists.openid.net http://lists.openid.net/mailman/listinfo/openid-specs
