<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>I would have the client use the resource owner credentials flow if it has the password. If it is going to authenticate based on some other credential already in the browser then use the code flow. </div><div><br></div><div>I would need to know more about the other credentials. I am assuming a desktop app if it is Eclipse based. </div><div><br></div><div>John B. </div><div><br>Sent from my iPhone</div><div><br>On Oct 26, 2013, at 8:52 AM, Torsten Lodderstedt <<a href="mailto:torsten@lodderstedt.net">torsten@lodderstedt.net</a>> wrote:<br><br></div><blockquote type="cite"><div>We use OIDC in conjunction with resource owner password credential grant for native apps (no 3rd party apps, just our own apps)<br><br><div class="gmail_quote"><br>
<br>
Todd W Lainhart <<a href="mailto:lainhart@us.ibm.com">lainhart@us.ibm.com</a>> schrieb:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<font size="2" face="sans-serif">I'm referencing </font><a href="http://openid.net/specs/openid-connect-core-1_0.html"><font size="3" color="blue"><u>http://openid.net/specs/openid-connect-core-1_0.html</u></font></a><font size="3">
</font>
<br>
<br><font size="2" face="sans-serif">We have an Authorization Server that
supports SSO via session extensions to OAuth 2.0. We're looking to
replace that protocol w/ OIDC. There's a couple of sticky points
that I'm not sure how to translate.</font>
<br>
<br><font size="2" face="sans-serif">1) Rich/Native Client login</font>
<br>
<br><font size="2" face="sans-serif">Imagine an Eclipse-based rich client
accepts user credentials and receives a bearer token in return. The
negotiation may be basic, credentials-based, SPENGO. The client is
anonymous. Rather than using the Resource Owner Password Credentials
Grant (where username/password are REQUIRED parameters), we opted for a
custom endpoint so that the AS could determine if the request was authenticated
in the absence of username/password. Similar to Resource Owner Password
Credentials Grant.</font>
<br>
<br><font size="2" face="sans-serif">I'm wondering what the guidance is for
such a setup in OIDC. Implicit requires the native client to follow
(presumably) 302s with the AS until it gets the final 302 to the callback
location. Seems messy for this setup.</font>
<br>
<br><font size="2" face="sans-serif">In the absence of guidance/precedent,
I'm inclined to think that a Resource Owner Password Credentials Grant
style extension is the way to go for this scenario.<br>
</font>
<br>
<table width="223" style="border-collapse:collapse;"><tbody><tr height="8"><td width="223" bgcolor="white" style="border-style:solid;border-color:#000000;border-width:0px 0px 0px 0px;padding:0px 0px;"><font size="1" face="Verdana"><b><br>
<br>
<br>
Todd Lainhart<br>
Rational software<br>
IBM Corporation<br>
550 King Street, Littleton, MA 01460-1250</b></font><font size="1" face="Arial"><b><br>
1-978-899-4705<br>
2-276-4705 (T/L)<br>
<a href="mailto:lainhart@us.ibm.com">lainhart@us.ibm.com</a></b></font></td></tr></tbody></table>
<br><p style="margin-top: 2.5em; margin-bottom: 1em; border-bottom: 1px solid #000"></p><pre class="k9mail"><hr><br>specs mailing list<br><a href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs">http://lists.openid.net/mailman/listinfo/openid-specs</a><br></pre></blockquote></div></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>specs mailing list</span><br><span><a href="mailto:specs@lists.openid.net">specs@lists.openid.net</a></span><br><span><a href="http://lists.openid.net/mailman/listinfo/openid-specs">http://lists.openid.net/mailman/listinfo/openid-specs</a></span><br></div></blockquote></body></html>