SAAS-1193 add additional ROPC page

karolrom-thales · karolrom-thales · commit db4c370ece2e · 2024-04-04T08:52:34.000+02:00
diff --git a/docs/products/access/api-reference/description-oauth-endpoint.md b/docs/products/access/api-reference/description-oauth-endpoint.md
@@ -35,6 +35,8 @@ this flow.
 * The client credentials flow returns an access token that gives access to resources for a specific client. For example, when the user requests the general 
 terms and conditions document, the resource server needs to know which client requests access to this document. The resource server does not need to know on
 behalf of which user the client requests access. Obtaining the access token can be automated and does not require user interaction.
+* The Resource Owner Password Credentials (ROPC) is deprecated and is no longer considered secure for most scenarios. See the topic
+  on [Resource owner password credentials](../topics/web-clients/resource-owner-password-credentials.md) for more information.
 
 ## Authorization endpoint
 The authorization endpoint is used in the authorization code flow. In this flow, the 
diff --git a/docs/products/access/topics/web-clients/resource-owner-password-credentials.md b/docs/products/access/topics/web-clients/resource-owner-password-credentials.md
@@ -0,0 +1,32 @@
+# Resource Owner Password Credentials
+
+!!! Warning
+    The Resource Owner Password Credentials (ROPC) is deprecated and is no longer considered secure for most scenarios. It directly handles
+    usernames and passwords, which could increase the risk of security vulnerabilities. We strongly recommend migrating
+    to [Custom Registration](../custom-registration/index.md) flows, which provide enhanced security features and better align with
+    current best practices in identity management. Additionally, it's imperative to restrict the use of the ROPC flow solely to private
+    clients capable of securely holding a secret. Failure to protect this secret renders the token endpoint vulnerable to credential
+    stuffing attacks.
+
+The `Resource owner password credentials` grant type cannot be chosen when either `Authorization code` or `Device code` is configured and
+vice versa.
+
+Features that require user interaction via the browser are not supported for web clients using the ROPC. So for example consent
+and additional user authentication (SMS) are not available.
+
+The ROPC feature works in combination
+with [SAML ECP PAOS binding](https://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/cs01/saml-ecp-v2.0-cs01.pdf). Therefore a web
+client using this feature should have
+a [SAML identity provider configured](../general-app-config/identity-providers/identity-providers.md#configure-a-saml-identity-provider).
+The configured SAML identity provider requires a single sign on service with a `urn:oasis:names:tc:SAML:2.0:bindings:SOAP` binding in its
+metadata. Attribute mappings of the identity provider will be used to set the user id and other user properties.
+
+The [RFC](https://tools.ietf.org/html/rfc6749#section-4.3.2) specifies that the authorization server should protect against brute force
+attacks. For this protection the OneWelcome Access relies on the used identity provider.
+
+When a [scope verification service](../integration-extension/scope-verification/scope-verification.md) is configured, requested scopes will
+be verified. In case of a verification failure a `400 Bad request` response with `unauthorized_user` error is returned. This error response
+contains a `error_uri` field containing the scope validation failed uri configured for this [scope](../general-app-config/scopes/scopes.md).
+
+
+For other error responses please refer to the [RFC](https://tools.ietf.org/html/rfc6749#section-4.3). 
diff --git a/docs/products/access/topics/web-clients/web-client-configuration.md b/docs/products/access/topics/web-clients/web-client-configuration.md
@@ -67,12 +67,12 @@ config:  [OpenID Relying Party configuration](../oidc/configuration/configuratio
 
 Grant types can be configured for a web client.
 
-| Grant type                          | Description                                                                                                                                                                                                                                                                                     |
-|-------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Authorization code                  | Specifies whether the OAuth client can use the OAuth authorization code grant type in order to allow this web client to request an access token on behalf of the end-user. This is the only grant type that is allowed for public clients using PKCE as authentication method.                  |
-| Client credentials                  | Specifies whether a web client can use its client credentials to request an access token. Note that this access token is not linked to a user since it's solely requested by the web client without any user interaction. This function is typically used for machine-to-machine communication. |
-| Device code                         | Specifies whether a web client can use the OAuth Device Code Flow in order to allow this web client to request an access token on behalf of the end-user. This grant type is used for devices that do not have a browser or have limited input capabilities.                                    |
-| Resource owner password credentials | Specifies whether a web client can use the OAuth Resource Owner Password Credentials grant type in order to allow this web client to request an access token on behalf of the end-user. This grant type is not recommended and should be avoided if possible.                                   |
+| Grant type                          | Description                                                                                                                                                                                                                                                                                                                                                                        |
+|-------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Authorization code                  | Specifies whether the OAuth client can use the OAuth authorization code grant type in order to allow this web client to request an access token on behalf of the end-user. This is the only grant type that is allowed for public clients using PKCE as authentication method.                                                                                                     |
+| Client credentials                  | Specifies whether a web client can use its client credentials to request an access token. Note that this access token is not linked to a user since it's solely requested by the web client without any user interaction. This function is typically used for machine-to-machine communication.                                                                                    |
+| Device code                         | Specifies whether a web client can use the OAuth Device Code Flow in order to allow this web client to request an access token on behalf of the end-user. This grant type is used for devices that do not have a browser or have limited input capabilities.                                                                                                                       |
+| Resource owner password credentials | Specifies whether a web client can use the OAuth Resource Owner Password Credentials grant type in order to allow this web client to request an access token on behalf of the end-user. This grant type is not recommended and should be avoided if possible. See the topic on [Resource owner password credentials](resource-owner-password-credentials.md) for more information. |
 
 ## Removing a web client
 
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -76,6 +76,7 @@ nav:
               - 'Web clients':
                   - 'Introduction': products/access/topics/web-clients/index.md
                   - 'Web client configuration': products/access/topics/web-clients/web-client-configuration.md
+                  - 'Resource Owner Password Credentials': products/access/topics/web-clients/resource-owner-password-credentials.md
               - 'Tokens':
                   - 'Introduction': products/access/topics/tokens/index.md
                   - 'Access Token': products/access/topics/tokens/access-token.md
