.AddOpenIdConnect() with Resource Owner Password Grant Type

[joepietrzak]

Hello,

I can find example after example online for how to request token to access a protected API via Resource Owner Password flow ("ropc") for OAuth2, e.g. https://docs.identityserver.io/en/release/quickstarts/2_resource_owner_passwords.html

What I'm having trouble finding is an example of how to do so for OpenID Connect. This StackOverflow answer says it should absolutely be possible https://stackoverflow.com/questions/24047047/does-openid-connect-support-the-resource-owner-password-credentials-grant#:~:text=Yes%2C%20OpenID%20Connect%20supports%20all,authorization%20server%20and%20a%20user.

For other ASP.NET Core web apps, I use the Authorization Code flow and I bootstrap the Authentication in Startup.cs by using services.AddAuthentication().AddCookies().AddOpenIdConnect()
This makes sense because all I need are the client ID and secret and I know those ahead of time and can set them within AddOpenIdConnect. For Resource Owner Password, however, I need to set the username and password (which I do not know until the user sends it). I am not sure how to do this (with an event handler perhaps?) I was hoping someone could offer some guidance. I cannot find any such example online. If there is an easier/better way to authenticate with the Resource Owner Password flow for OpenID Connect (i.e. interactive web app), please let me know.

Thank you!

[Tratcher]

These components are only designed for use with the interactive flow, not the ropc flow. For ropc you make an HTTP request directly to the token endpoint. That should be done directly by the client, they shouldn't be sending your app their username and password for you to submit.

[joepietrzak]

That makes sense, thank you