Seeking guidance on the implementation of native/rich client flow

Torsten Lodderstedt torsten at lodderstedt.net
Sat Oct 26 11:52:08 UTC 2013


We use OIDC in conjunction with resource owner password credential grant for native apps (no 3rd party apps, just our own apps)



Todd W Lainhart <lainhart at us.ibm.com> schrieb:
>I'm referencing http://openid.net/specs/openid-connect-core-1_0.html 
>
>We have an Authorization Server that supports SSO via session
>extensions 
>to OAuth 2.0.  We're looking to replace that protocol w/ OIDC.  There's
>a 
>couple of sticky points that I'm not sure how to translate.
>
>1) Rich/Native Client login
>
>Imagine an Eclipse-based rich client accepts user credentials and
>receives 
>a bearer token in return.  The negotiation may be basic, 
>credentials-based, SPENGO.  The client is anonymous.  Rather than using
>
>the Resource Owner Password Credentials Grant (where username/password
>are 
>REQUIRED parameters), we opted for a custom endpoint so that the AS
>could 
>determine if the request was authenticated in the absence of 
>username/password.  Similar to Resource Owner Password Credentials
>Grant.
>
>I'm wondering what the guidance is for such a setup in OIDC.  Implicit 
>requires the native client to follow (presumably) 302s with the AS
>until 
>it gets the final 302 to the callback location.  Seems messy for this 
>setup.
>
>In the absence of guidance/precedent, I'm inclined to think that a 
>Resource Owner Password Credentials Grant style extension is the way to
>go 
>for this scenario.
>
>
>
>
>
>Todd Lainhart
>Rational software
>IBM Corporation
>550 King Street, Littleton, MA 01460-1250
>1-978-899-4705
>2-276-4705 (T/L)
>lainhart at us.ibm.com
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>specs mailing list
>specs at lists.openid.net
>http://lists.openid.net/mailman/listinfo/openid-specs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20131026/cf5ce7d7/attachment.html>


More information about the specs mailing list