Skip to content

Commit 2f79eb5

Browse files
karolrom-thaleskarolrom-thales
authored
Merge pull request #369 from onewelcome/SAAS-1193
SAAS-1193 Reintroduce ROPC
2 parents de8b884 + db4c370 commit 2f79eb5

File tree

6 files changed

+47
-8
lines changed

6 files changed

+47
-8
lines changed

docs/products/access/api-reference/config-api/web-client.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -95,7 +95,7 @@ JSON body parameters:
9595
| client_secret | depends | "AF33E2BF29C54A4639AB…" | Client Secret (not returned on GET). Required when `client_authentication_method` is `CLIENT_SECRET_BASIC` or when `client_authentication_method` is not specified. |
9696
| public_jwk | depends | EC or RSA public key | Plain public key for private key JWT authentication in the Elliptic Curve (min P-256) or RSA (min 2048, max 4096 key length) x509 format. OneWelcome Access will favour `jwks_uri` if provided over statically defined JWK. |
9797
| jwks_uri | depends | "https://authorization-server/jwks" | Uri of JWKS endpoint with public keys for private key JWT authentication. |
98-
| grant_types | yes | ["CLIENT_CREDENTIALS"] | Set of Grant Types. Allowed values: `AUTHORIZATION_CODE`, `CLIENT_CREDENTIALS` and `DEVICE_CODE`. When `client_authentication_method` is `PKCE` the only allowed value is `AUTHORIZATION_CODE`. |
98+
| grant_types | yes | ["CLIENT_CREDENTIALS"] | Set of Grant Types. Allowed values: `AUTHORIZATION_CODE`, `CLIENT_CREDENTIALS`, `PASSWORD` and `DEVICE_CODE`. When `client_authentication_method` is `PKCE` the only allowed value is `AUTHORIZATION_CODE`. |
9999
| access_token_format | no | "OPAQUE" | Format of the [Access Token](../../topics/tokens/access-token.md). Allowed values: `OPAQUE` (random string), `JWT` (JSON Web Token). Defaults to `OPAQUE` when omitted. The JWT access token contains the user identifier for grant types `AUTHORIZATION_CODE`. |
100100
| redirect_url | yes | "https://example.com/redirect" | An URL to which the browser is redirected after successfully obtaining an Access grant. Required for Grant type `AUTHORIZATION_CODE`. |
101101
| additional_redirect_urls | no | ["https://example.org/redirect"] | Additional URLs that the user can be redirected to after successfully obtaining an Access grant. |
@@ -277,7 +277,7 @@ Only the fields that are sent in the request will be changed.
277277
| client_secret | no | "AF33E2BF29C54A4639AB…" | Client Secret (not returned on GET) |
278278
| public_jwk | depends | EC or RAS public key | Plain public key for private key JWT authentication in the Elliptic Curve (min P-256) or RSA (min 2048, max 4096 key length) x509 format. The OneWelcome Access will favour `jwks_uri` if provided over statically defined JWK. |
279279
| jwks_uri | depends | "https://authorization-server/jwks" | Uri of JWKS endpoint with public keys for private key JWT authentication. |
280-
| grant_types | no | ["CLIENT_CREDENTIALS"] | Set of Grant Types. Allowed values: `AUTHORIZATION_CODE`, `CLIENT_CREDENTIALS` and `DEVICE_CODE`. When `client_authentication_method` is `PKCE` the only allowed value is `AUTHORIZATION_CODE`. |
280+
| grant_types | no | ["CLIENT_CREDENTIALS"] | Set of Grant Types. Allowed values: `AUTHORIZATION_CODE`, `CLIENT_CREDENTIALS`, `PASSWORD` and `DEVICE_CODE`. When `client_authentication_method` is `PKCE` the only allowed value is `AUTHORIZATION_CODE`. |
281281
| access_token_format | no | "OPAQUE" | Format of the [Access Token](../../topics/tokens/access-token.md). Allowed values: `OPAQUE` (random string), `JWT` (JSON Web Token). The JWT access token contains the user identifier for grant type `AUTHORIZATION_CODE`. |
282282
| redirect_url | no | "https://example.com/redirect" | An URL to which the browser is redirected after successfully obtaining an Access grant. Used with Grant type `AUTHORIZATION_CODE`. |
283283
| additional_redirect_urls | no | ["https://example.org/redirect"] | Additional URLs that the user can be redirected to after successfully obtaining an Access grant. |

docs/products/access/api-reference/description-oauth-endpoint.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,7 @@ The OAuth 2.0 specification describes the following flows to obtain tokens:
2323

2424
* [Authorization code](https://tools.ietf.org/html/rfc6749#section-4.1)
2525
* [Client credentials](https://tools.ietf.org/html/rfc6749#section-4.4)
26+
* [Resource Owner Password Credentials (ROPC)](https://tools.ietf.org/html/rfc6749#section-4.3)
2627

2728
OneWelcome Access supports all of these flows. However, only the authorization code grant and client credentials grant are recommended.
2829

@@ -34,6 +35,8 @@ this flow.
3435
* The client credentials flow returns an access token that gives access to resources for a specific client. For example, when the user requests the general
3536
terms and conditions document, the resource server needs to know which client requests access to this document. The resource server does not need to know on
3637
behalf of which user the client requests access. Obtaining the access token can be automated and does not require user interaction.
38+
* The Resource Owner Password Credentials (ROPC) is deprecated and is no longer considered secure for most scenarios. See the topic
39+
on [Resource owner password credentials](../topics/web-clients/resource-owner-password-credentials.md) for more information.
3740

3841
## Authorization endpoint
3942
The authorization endpoint is used in the authorization code flow. In this flow, the

docs/products/access/appendix/access-events.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -172,6 +172,9 @@
172172
| TOKEN REQUEST INVALID PROFILE ID | Provided profile id has invalid format or is already used by other user of the client. |
173173
| TOKEN REQUEST IMPLICIT AUTHENTICATION ACCESS TOKEN CREATED | An implicit authentication access token was created based on the provided client credentials, profile id and scopes. |
174174
| TOKEN REQUEST IMPLICIT DEFAULT ACCESS TOKEN NOT FOUND | No default access token was found for the provided profile. |
175+
| TOKEN REQUEST PASSWORD ACCESS TOKEN CREATED | The access token created using password grant |
176+
| TOKEN REQUEST PASSWORD INVALID CREDENTIALS | Provided credentials are invalid |
177+
| TOKEN REQUEST PASSWORD NOT SUPPORTED BY IDENTITY PROVIDER | The identity provider configured for this client does not support this authorization type. |
175178
| TOKEN REQUEST REFRESH TOKEN RETRY COUNT EXCEEDED | The refresh token has been used wrongly for more than the maximum allowed retries. The refresh token is invalidated. |
176179
| TOKEN RESPONSE GROUP PERMISSIONS EXCEEDED JWT LIMIT | The JWT access token with the claim [`group permissions`](../topics/tokens/access-token.md#group-permissions) has exceeded the configured length of a JWT access token. |
177180
| TOKEN REVOKE INVALID REQUEST | Invalid request while revoking token (ie. malformed syntax, required parameter missing). |
@@ -602,4 +605,3 @@ This section contains events for mobile authentication
602605
| STORE KEY VALUE INVALID IDP TYPE | The identity provider that was specified was not of the OneWelcome type. |
603606
| STORE KEY VALUE INVALID IDP CONFIG | The configuration on the OneWelcome IDP for the Storage API is not correct (bad or missing credentials). |
604607
| STORE KEY VALUE FAILED | An error occurred when storing the value in the keystore. Typically an issue in the [Consumer Identity Manager](https://docs-single-tenant.onegini.com/cim/stable/idp) application. |
605-

docs/products/access/topics/web-clients/resource-owner-password-credentials.md

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
# Resource Owner Password Credentials
2+
3+
!!! Warning
4+
The Resource Owner Password Credentials (ROPC) is deprecated and is no longer considered secure for most scenarios. It directly handles
5+
usernames and passwords, which could increase the risk of security vulnerabilities. We strongly recommend migrating
6+
to [Custom Registration](../custom-registration/index.md) flows, which provide enhanced security features and better align with
7+
current best practices in identity management. Additionally, it's imperative to restrict the use of the ROPC flow solely to private
8+
clients capable of securely holding a secret. Failure to protect this secret renders the token endpoint vulnerable to credential
9+
stuffing attacks.
10+
11+
The `Resource owner password credentials` grant type cannot be chosen when either `Authorization code` or `Device code` is configured and
12+
vice versa.
13+
14+
Features that require user interaction via the browser are not supported for web clients using the ROPC. So for example consent
15+
and additional user authentication (SMS) are not available.
16+
17+
The ROPC feature works in combination
18+
with [SAML ECP PAOS binding](https://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/cs01/saml-ecp-v2.0-cs01.pdf). Therefore a web
19+
client using this feature should have
20+
a [SAML identity provider configured](../general-app-config/identity-providers/identity-providers.md#configure-a-saml-identity-provider).
21+
The configured SAML identity provider requires a single sign on service with a `urn:oasis:names:tc:SAML:2.0:bindings:SOAP` binding in its
22+
metadata. Attribute mappings of the identity provider will be used to set the user id and other user properties.
23+
24+
The [RFC](https://tools.ietf.org/html/rfc6749#section-4.3.2) specifies that the authorization server should protect against brute force
25+
attacks. For this protection the OneWelcome Access relies on the used identity provider.
26+
27+
When a [scope verification service](../integration-extension/scope-verification/scope-verification.md) is configured, requested scopes will
28+
be verified. In case of a verification failure a `400 Bad request` response with `unauthorized_user` error is returned. This error response
29+
contains a `error_uri` field containing the scope validation failed uri configured for this [scope](../general-app-config/scopes/scopes.md).
30+
31+
32+
For other error responses please refer to the [RFC](https://tools.ietf.org/html/rfc6749#section-4.3).

docs/products/access/topics/web-clients/web-client-configuration.md

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -67,11 +67,12 @@ config: [OpenID Relying Party configuration](../oidc/configuration/configuratio
6767

6868
Grant types can be configured for a web client.
6969

70-
| Grant type | Description
71-
|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
72-
| Authorization code | Specifies whether the OAuth client can use the OAuth authorization code grant type in order to allow this web client to request an access token on behalf of the end-user. This is the only grant type that is allowed for public clients using PKCE as authentication method.
73-
| Client credentials | Specifies whether a web client can use its client credentials to request an access token. Note that this access token is not linked to a user since it's solely requested by the web client without any user interaction. This function is typically used for machine-to-machine communication.
74-
| Device code | Specifies whether a web client can use the OAuth Device Code Flow in order to allow this web client to request an access token on behalf of the end-user. This grant type is used for devices that do not have a browser or have limited input capabilities.
70+
| Grant type | Description |
71+
|-------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
72+
| Authorization code | Specifies whether the OAuth client can use the OAuth authorization code grant type in order to allow this web client to request an access token on behalf of the end-user. This is the only grant type that is allowed for public clients using PKCE as authentication method. |
73+
| Client credentials | Specifies whether a web client can use its client credentials to request an access token. Note that this access token is not linked to a user since it's solely requested by the web client without any user interaction. This function is typically used for machine-to-machine communication. |
74+
| Device code | Specifies whether a web client can use the OAuth Device Code Flow in order to allow this web client to request an access token on behalf of the end-user. This grant type is used for devices that do not have a browser or have limited input capabilities. |
75+
| Resource owner password credentials | Specifies whether a web client can use the OAuth Resource Owner Password Credentials grant type in order to allow this web client to request an access token on behalf of the end-user. This grant type is not recommended and should be avoided if possible. See the topic on [Resource owner password credentials](resource-owner-password-credentials.md) for more information. |
7576

7677
## Removing a web client
7778

mkdocs.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,7 @@ nav:
7676
- 'Web clients':
7777
- 'Introduction': products/access/topics/web-clients/index.md
7878
- 'Web client configuration': products/access/topics/web-clients/web-client-configuration.md
79+
- 'Resource Owner Password Credentials': products/access/topics/web-clients/resource-owner-password-credentials.md
7980
- 'Tokens':
8081
- 'Introduction': products/access/topics/tokens/index.md
8182
- 'Access Token': products/access/topics/tokens/access-token.md

0 commit comments

Comments
 (0)