search

OpenIDC / mod_auth_openidc

OpenID Certified™ OpenID Connect Relying Party implementation for Apache HTTP Server 2.x
Apache License 2.0
990 stars 327 forks source link

Support for Resource Owner Password Credentials flow #985

Closed marcstern closed 1 year ago

marcstern commented 1 year ago

This is a feature request. If you have an application (like a scheduled job) that has no real (human) user, but needs to connect to your application, the Authorization Code Grant flow cannot be used (unless you hard-code the full autentication flow, which could change at any time). The ROPC flow is the only way to go I'm afraid.

It would be rather easy to support the ROPC flow. At least one implementation of it. Here is one working proposal, some variations may be imagined:

  1. We set OIDCResponseType to "client_credentials"
  2. The client sends each request with a usual Basic Authentication header (Authorization: b64{user:password})
  3. When the directive OIDCResponseType to "client_credentials", mod_auth_openidc grabs user & password from the header and sends a ROPC-compatible request to the token endpoint (and removes the Authorization header)
  4. The result can be used as usually

It seems that simple, no?

github-actions[bot] commented 1 year ago

https://github.com/zmartzone/mod_auth_openidc/wiki#20-why-is-my-ticket-closed-as-invalid

marcstern commented 1 year ago

What's the problem with my feature request? Why was it rejected by the bot?