"password" grant_type for token endpoint

[amrutprabhu]

Expected Behavior
Password grant type is supported

Current Behavior
I see that the password grant type is not supported and throws an error when we make a request with password grant type. I saw there are only two converters. one for authorization code and one for client credentials.

Context
It's not something that is blocking me. Its just that when I worked with spring-security-oauth2 library it worked. But it's not present in this library.

Question
So is it somewhere on the road map to be implemented or waiting for contribution. Or is it not be supported by this library?

[jgrandja]

Thanks for reaching out @amrutprabhu. We will not be providing support for the password grant as its deprecated in OAuth 2.1. For reference, see OAuth 2.1 and It's Time for OAuth 2.1.

[akuma8]

I need this grant in my application and I can't understand why it's deprecated. When we build an internal authorization server where we full manage authorized clients we can use this grant safelly and it would be nice to have it by default. I will try to implement it on my own following this guide: https://docs.spring.io/spring-authorization-server/docs/current/reference/html/guides/how-to-ext-grant-type.html

[hartimcwildfly]

I think there should be at least a hint when doing the following:

RegisteredClient registeredClient = RegisteredClient.withId(UUID.randomUUID().toString())
                .clientId("my-api-local")
                .clientSecret(new BCryptPasswordEncoder(10).encode("my-super-strong-secret"))
                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST)
                .authorizationGrantType(AuthorizationGrantType.PASSWORD)
                .build();

It just says that AuthorizationGrantType.PASSWORD is deprecated. But deprecated and not implemented/unsupported is not the same.

[akuma8]

@hartimcwildfly I agree with you, they should remove that constant.

[3e-maciej]

Did anyone manage to implement PASSWORD grant type flow? any hints/snippets?
I think it is deprecated because best practices, but there should be at least manual how to achieve this flow for backward compatibility when updating legacy projects...

[hartimcwildfly]

My use case was to mock Auth0 for integration tests. For this I started to use this spring-authorization-server. In the end I went for a keycloak container which still supports password grant type.

[jgrandja]

@3e-maciej

there should be at least manual how to achieve this flow for backward compatibility when updating legacy projects

See How-to: Implement an Extension Authorization Grant Type, which demonstrates how you could implement the password grant type as an extension grant.