Support for password grant types

[micbar]

Reference

https://oauth.net/2/grant-types/password/

Why is this important?

In the context of ocis we are including lico as our default openIDConnect Provider.

It would give us an strong value, to provide a browser-less OIDC flow to get an access token for API usage. This is useful for automated provisioning and deployment tasks as well as 3rd party integrations which are not browser based.

@longsleep Is that something we could agree on? If yes, could you provide a pointer for implementing this?

[longsleep]

The use case "to get an access token for API usage" from a password should not be used. We should not encourage insecure usage in my opinion.

Having that said, Resource Owner Password Credentials flow is often enough requested - recently there was a similar discussion at authts/oidc-client-ts#747 (review) which is worth reading. We ended up merging support for it into a client library.

@micbar I think it would be no harm to add it if it is bound to additional security constraints. which for a start I would see something like this (configured via identifier-registration.yaml).

• requires a registered secure client (means client secret is set and not a dynamic client)
• flow must be explicitly enabled in the client registration (boolean flag)
• registered client application_type must be native
• registrered client must be trusted
• registered client must have a scope whitelist which is empty by default (means client gets no scopes)
• must have client registration configuration for the lico specific identity scopes
• can support request object based extra claims (ideally signed only and somehow validated with json schema or similar)