OpenID Connect: Resource Owner Password Credentials

Question

OIDC doesn't support Resource Owner Password Credentials Grant. Why? Some of my clients are secured devices which could safely maintain credentials... Those credentials could be used to get an access_token. Can I still use OpenID Connect?

Answer 1

It is not explicit in the specification but OpenID Connect supports all OAuth 2.0 flows since it is an extension of OAuth 2.0.

The spec talks about the flows that involve browser redirect as they are more common, more secure and less brittle given that resource owner credentials only supports username and password and is only in the OAuth 2 spec for backwards compatibility. In true SSO systems you'd want to abstract away from the method of authenticating the user at the OP/IDP. Involving a browser is a way to do that.

But your mileage may vary wrt. support in specific OP/AS software and client libraries.

FWIW: you should be looking to obtain an id_token rather than an access_token.

Answer 2

OpenID Connect performs authentication to log in the End-User or to determine that the End-User is already logged in. OpenID Connect returns the result of the Authentication performed by the Server to the Client in a secure manner so that the Client can rely on it.

With implicit and authorization codes grant types flows, it is not possible to issue an ID token if the End-User is not logged in. In this case, the authorization server can confirm to the relying party that End-User is logged in. But with the resource owner grant type flow, the authorization server cannot confirm the End-User is logged in. You can issue an access token even if the End-User is not logged in.