Seeking guidance on the implementation of native/rich client flow

Todd W Lainhart lainhart at us.ibm.com
Fri Oct 25 21:46:20 UTC 2013


I'm referencing http://openid.net/specs/openid-connect-core-1_0.html 

We have an Authorization Server that supports SSO via session extensions 
to OAuth 2.0.  We're looking to replace that protocol w/ OIDC.  There's a 
couple of sticky points that I'm not sure how to translate.

1) Rich/Native Client login

Imagine an Eclipse-based rich client accepts user credentials and receives 
a bearer token in return.  The negotiation may be basic, 
credentials-based, SPENGO.  The client is anonymous.  Rather than using 
the Resource Owner Password Credentials Grant (where username/password are 
REQUIRED parameters), we opted for a custom endpoint so that the AS could 
determine if the request was authenticated in the absence of 
username/password.  Similar to Resource Owner Password Credentials Grant.

I'm wondering what the guidance is for such a setup in OIDC.  Implicit 
requires the native client to follow (presumably) 302s with the AS until 
it gets the final 302 to the callback location.  Seems messy for this 
setup.

In the absence of guidance/precedent, I'm inclined to think that a 
Resource Owner Password Credentials Grant style extension is the way to go 
for this scenario.





Todd Lainhart
Rational software
IBM Corporation
550 King Street, Littleton, MA 01460-1250
1-978-899-4705
2-276-4705 (T/L)
lainhart at us.ibm.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20131025/4632b037/attachment.html>


More information about the specs mailing list