Resource Owner Credentials Flow with JavaScript and IdentityServer - Not Allowed?

Question

I have a JS website that tries to obtain an access token by passing the user name and password. I also maintain the auth server, so I consider the JS client as trusted. I am able to do this with ASP.net 4.5.x. but when I try to do the same to IdentityServer, I get invalid_client.

I'm now trying out ASP.net 5, and I believe the old OWIN middleware for acting as the identity provider is no longer going to be supported, and they are advocating IdentityServer for when we want to be the identity provider.

POST /connect/token HTTP/1.1
Host: localhost:59766
Content-Type: application/x-www-form-urlencoded

username=admin&password=pw&grant_type=password

I think the IdentityServer requires client information first, but that would mean I would have to expose client_secret on a web page (or native mobile app), which I believe is not allowed, per OAuth specs.

How do we turn off client requirement with IdentityServer?

On IdentityServer's github, I only see C# code that gathers client credentials plus user name and password to obtain an access token for resource owner credentials flow here. What is the equivalent raw HTTP request?

I personally don't care if another app were to try to impersonate my client. It's really the user's credentials that would allow access to anything anyway.

Answer 1

In IdentityServer3, client authentication is mandatory: a token request cannot be validated if the client credentials are missing from the request, no matter which grant type you're using (authorization code, refresh token, resource owner password).

Of course, this is not really specs-compliant since client authentication is not needed for public applications like JS apps, but I guess this requirement is here to encourage you to use the implicit flow instead (https://www.rfc-editor.org/rfc/rfc6749#section-4.3.2)

If you really want to use ROPC with IdentityServer, you can flow the client credentials with the other OAuth2 parameters:

POST /connect/token HTTP/1.1
Host: localhost:59766
Content-Type: application/x-www-form-urlencoded

client_id=id&client_secret=not_secret_at_all&username=admin&password=pw&grant_type=password&scope=read+write