<html><head></head><body>We use OIDC in conjunction with resource owner password credential grant for native apps (no 3rd party apps, just our own apps)<br><br><div class="gmail_quote"><br>
<br>
Todd W Lainhart <lainhart@us.ibm.com> schrieb:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<font size="2" face="sans-serif">I'm referencing </font><a href="http://openid.net/specs/openid-connect-core-1_0.html"><font size="3" color="blue"><u>http://openid.net/specs/openid-connect-core-1_0.html</u></font></a><font size="3">
</font>
<br />
<br /><font size="2" face="sans-serif">We have an Authorization Server that
supports SSO via session extensions to OAuth 2.0. We're looking to
replace that protocol w/ OIDC. There's a couple of sticky points
that I'm not sure how to translate.</font>
<br />
<br /><font size="2" face="sans-serif">1) Rich/Native Client login</font>
<br />
<br /><font size="2" face="sans-serif">Imagine an Eclipse-based rich client
accepts user credentials and receives a bearer token in return. The
negotiation may be basic, credentials-based, SPENGO. The client is
anonymous. Rather than using the Resource Owner Password Credentials
Grant (where username/password are REQUIRED parameters), we opted for a
custom endpoint so that the AS could determine if the request was authenticated
in the absence of username/password. Similar to Resource Owner Password
Credentials Grant.</font>
<br />
<br /><font size="2" face="sans-serif">I'm wondering what the guidance is for
such a setup in OIDC. Implicit requires the native client to follow
(presumably) 302s with the AS until it gets the final 302 to the callback
location. Seems messy for this setup.</font>
<br />
<br /><font size="2" face="sans-serif">In the absence of guidance/precedent,
I'm inclined to think that a Resource Owner Password Credentials Grant
style extension is the way to go for this scenario.<br />
</font>
<br />
<table width="223" style="border-collapse:collapse;"><tbody><tr height="8"><td width="223" bgcolor="white" style="border-style:solid;border-color:#000000;border-width:0px 0px 0px 0px;padding:0px 0px;"><font size="1" face="Verdana"><b><br />
<br />
<br />
Todd Lainhart<br />
Rational software<br />
IBM Corporation<br />
550 King Street, Littleton, MA 01460-1250</b></font><font size="1" face="Arial"><b><br />
1-978-899-4705<br />
2-276-4705 (T/L)<br />
lainhart@us.ibm.com</b></font></td></tr></tbody></table>
<br /><p style="margin-top: 2.5em; margin-bottom: 1em; border-bottom: 1px solid #000"></p><pre class="k9mail"><hr /><br />specs mailing list<br />specs@lists.openid.net<br /><a href="http://lists.openid.net/mailman/listinfo/openid-specs">http://lists.openid.net/mailman/listinfo/openid-specs</a><br /></pre></blockquote></div></body></html>