[OPENAM-8485] Resource owner password grant should continue along an auth chain when the first module fails due to being non-username/pwd based Created: 04/Mar/16 Updated: 22/Jul/20 Resolved: 22/Jul/20
|Component/s:||authentication, oauth2, OpenID Connect, rest|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
|Support Ticket IDs:|
Currently when the first module of the default authentication chain does not require username and password, requesting an access token with password grant flow fails.
We should allow authentication to continue down the chain until it reaches an appropriate module.
Adding an 'auth_chain' parameter can get around this successfully by specifying a different chain to use, however it is not compliant, and the authentication method should be transparent; the client should not know about different methods.
Also attempted to use 'acr_values' parameter mapped to different authentication chains, as this is standards compliant. It works for the authorize endpoint, but not access_token.
|Comment by Andy Hall [ 10/Oct/17 ]|
The intention would be to deliver this functionality using Authentication Trees.
|Comment by Andy Hall [ 22/Jul/20 ]|
This should now be possible in trees.