Support for Resource Owner Password Credentials flow

Question

Support for Resource Owner Password Credentials flow

marcstern opened this issue a year ago · comments

This is a feature request.
If you have an application (like a scheduled job) that has no real (human) user, but needs to connect to your application, the Authorization Code Grant flow cannot be used (unless you hard-code the full autentication flow, which could change at any time).
The ROPC flow is the only way to go I'm afraid.

It would be rather easy to support the ROPC flow. At least one implementation of it.
Here is one working proposal, some variations may be imagined:

We set OIDCResponseType to "client_credentials"
The client sends each request with a usual Basic Authentication header (Authorization: b64{user:password})
When the directive OIDCResponseType to "client_credentials", mod_auth_openidc grabs user & password from the header and sends a ROPC-compatible request to the token endpoint (and removes the Authorization header)
The result can be used as usually

It seems that simple, no?

github-actions · Answer 1 · Thu Jan 05 2023 22:05:24 GMT+0800 (China Standard Time)

https://github.com/zmartzone/mod_auth_openidc/wiki#20-why-is-my-ticket-closed-as-invalid

Marc Stern · Answer 2 · Thu Jan 05 2023 22:46:07 GMT+0800 (China Standard Time)

What's the problem with my feature request? Why was it rejected by the bot?