Add disable option of password credentials grant

i7a7467 commented 3 years ago

Description

OAuth 2.0 Security Best Current Practice describe the following. The resource owner password credentials grant MUST NOT be used.

Therefore, I hope that OpenAM is able to reject password credentials requests on per client.

Solution

Add disable Resource Owner Password Credentials Grant option in OAuth 2.0 Client. To be more specific, this disable option deny the request of grant_type=password .

Alternatives

Additional context

tsujiguchitky commented 2 years ago

Sorry for the very late response.

I believe that grants other than password should also be controlled. Currently, SAML2 grant and Device flow also work, but it would be better to be able to disable them as well. Also, there may be a requirement to use only authorization code grant.

Therefore, I think it would be better to have a setting that specifies valid grants.

And, It should have settings in both OP and RP as mentioned in the two specs below.

OpenID Connect Discovery 1.0
- 3. OpenID Provider Metadata -> grant_types_supported
OpenID Connect Dynamic Client Registration 1.0
- 2. Client Metadata -> grant_types

Then, my colleague is currently developing this feature.

i7a7467 commented 2 years ago

Thanks reply. You're right. I think it would be wonderful to have the list of valid grants too. Please close #240 #241.

tsujiguchitky commented 2 years ago

OK, thanks.

I will close this issue after raising a new replacement issue.

openam-jp / openam