The password grant type works fine until you use the scope "openid"
With the openid scope, OpenAM tries to validate the sso token, but this grant type is session less (the session is created and immediately destroyed).
For reproducing the issue, just setup an oauth2 with the scope "profile" and "openid".
Then, try to get an access token:
You will get:
The main reason is that, in OpenIDTokenIssuer, we call
which throw an exception as the sso token is null.