I want to get user attributes with an Access Token in a Resource Owner Credential (Password) grant type. I would like to use OpenID Connect, but spec only talks about browser based grants. i.e. Authorization Code and Implicit.
I'm trying to understand why the spec doesn't support it. Is it because for a security risk? or some other reason?
A grant type where your service has access to the user's sign-in identifier and password defeats the purpose of OpenID Connect, where you should be able to authenticate and identify a user without the user having to trust (or accidentally provide) you with their credentials.
Some security concerns with this grant type are expressed in RFC 6749 section 4.3. And it explicitly states (emphasis mine):
The authorization server should take special care when enabling this grant type and only allow it when other flows are not viable.
Related: Does OpenID Connect support the Resource Owner Password Credentials grant?
Since OpenID Connect is a specialization on top of the OAuth 2.0 specification, all of the grant flows in Oauth 2.0 can be done, including Resource Owner Password Grant. It's not recommended, but you can do it. You'd also have to check to make sure that your OP supports it. The ones I've looked at do, but it's possible that not all of them do.
