18

I am trying to build an identity provider application using identityserver4; Currently, I am using "Resource Owner Password Credentials" flow and it returns access_token and refresh_token from token endpoint.

Code Snippet for calling TokenEndpoint from Client

var tokenClient = new TokenClient(<TokenEndpoint>, <ClientId>, <ClientSecret>);           
var tokenResponse = await tokenClient.RequestResourceOwnerPasswordAsync(<UserName>, <password>, <Scopes>);

My Question is, How to get "id_token" along with "access_token" and "refresh_token" by using the same "Resource Owner Password Credentials" flow?

codeninja.sj
  • 3,452
  • 1
  • 20
  • 37

1 Answers1

23

How to get "id_token" along with "access_token" and "refresh_token" by using the same "Resource Owner Password Credentials" flow?

You don't.

In IdentityServer4, the Resource Owner Password Credentials flow provides only access tokens. If you also want an id token, then use the Authorization Code flow, the Implicit Code flow, or the Hybrid flow.

                                       access_token   id_token   refresh_token

Resource Owner Password Credentials        yes           -           yes

Authorization Code                         yes          yes          yes 

Implicit Flow                              yes          yes           -

Since you're wanting all three token types, and since you appear to be using server-side code, the Authorization Code flow fits best. Some kinds of Hybrid Flow will also work for you.

From the docs:

The OAuth 2.0 resource owner password grant allows a client to send username and password to the token service and get an access token back that represents that user.

From a GitHub issue:

OpenID Connect does not specify the resource owner flow - only interactive logons at the authorization server (like code or implicit flow). So [in other words,] no identity token - only access tokens.

Shaun Luttin
  • 133,272
  • 81
  • 405
  • 467
  • Thanks @Shaun. Is there any other way to get both access_token and id_token from token endpoint? – codeninja.sj Jan 02 '17 at 05:41
  • @codeninja.sj Yes. You can use one of the OpenID Connect flows. In your case the Authorization Code flow seems like the best candidate. If you're building a web browser-based application, though, you will want the Implicit Flow. – Shaun Luttin Jan 02 '17 at 05:43
  • Authorization Code Flow only accepts only "username" and "password" but not "client_id" and "client_secret"; " Implicit Code Flow." accepts "client_id" and "client_secret" but not "username" and "password". But I have to pass all these parameters to get tokens. Is there any other better way to achieve this? – codeninja.sj Jan 02 '17 at 05:50
  • @codeninja.sj Based on your question using server-side code, my sense is that you want the Authorization Code Flow. I think you're mistaken about what it accepts. The Authorization Code flow takes a client id and client secret. – Shaun Luttin Jan 02 '17 at 05:55
  • 1
    let me try with authorization code flow! thanks for your suggestion :) – codeninja.sj Jan 02 '17 at 06:01