From 5977a1bec1e7acc984b8dd95852b6ef64aa11ff5 Mon Sep 17 00:00:00 2001
From: spruce-bruce <aaron@synapsestudios.com>
Date: Mon, 2 Oct 2017 10:52:27 -0700
Subject: [PATCH 1/4] add changelog with single entry from 1.3.1

to be backfilled with older release data
---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 CHANGELOG.md

diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 00000000..e8040727
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,4 @@
+
+## [v1.3.1](https://github.com/synapsestudios/oidc-platform/compare/v1.3.0...release/v1.3.1) - 2017-10-2
+### Added
+- [#123](https://github.com/synapsestudios/oidc-platform/pull/123) Allow password grant type in database.

From c5185a95d1c34b409ce8f71ad3d634acb68c7782 Mon Sep 17 00:00:00 2001
From: spruce-bruce <aaron@synapsestudios.com>
Date: Mon, 2 Oct 2017 10:53:45 -0700
Subject: [PATCH 2/4] placeholder file for upgrade guide

---
 UPGRADE.md | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 UPGRADE.md

diff --git a/UPGRADE.md b/UPGRADE.md
new file mode 100644
index 00000000..12de9436
--- /dev/null
+++ b/UPGRADE.md
@@ -0,0 +1 @@
+# UPGRADE

From fbd390ae656b041ad5aef62c80b1983232ce6320 Mon Sep 17 00:00:00 2001
From: spruce-bruce <aaron@synapsestudios.com>
Date: Mon, 2 Oct 2017 11:03:56 -0700
Subject: [PATCH 3/4] update docs with password grant

---
 docs/implementation.md | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/docs/implementation.md b/docs/implementation.md
index b808ee3a..3256c012 100644
--- a/docs/implementation.md
+++ b/docs/implementation.md
@@ -120,10 +120,10 @@ Methods for creating users is not defined by the OpenID Connect specification. A
 The OIDC Platform provides an endpoint that will invite your user to create an account. The invite workflow looks like this:
 
 1. Your application POSTs to the invite endpoint with your new users email address (plus some more information needed to get this user back to your application)
-1. The OIDC Platform sends an email to your user with a link that allows them to click into the OIDC Platform
-1. The user follows the link and is prompted to create a password
-1. Once the user's password is created they are redirected the login screen
-1. If the user logs in they will be redirected back to your application (to the redirect_url you specified when POSTing the invite)
+2. The OIDC Platform sends an email to your user with a link that allows them to click into the OIDC Platform
+3. The user follows the link and is prompted to create a password
+4. Once the user's password is created they are redirected the login screen
+5. If the user logs in they will be redirected back to your application (to the redirect_url you specified when POSTing the invite)
 
 You will also be able to trigger reinvites for users that have not yet responded to their original invite.
 
@@ -259,6 +259,20 @@ Authorization: Basic ${base64Encode(clientId:clientSecret)}
 grant_type=client_credentials&scope=admin
 ```
 
+### Password Grant
+
+The password grant is used when an application is logging in on behalf of the user _without_ using any of the redirect workflows. This method requires your client app to collect the user's username and password and pass that along to the token endpoint which of course has security implecations. You should only use the password grant if the client app is controlled by you or is otherwise trusted. Make sure to use HTTPS to issue this request.
+
+#### Example token request
+
+```
+POST /op/token
+Host: ${providerDomain}
+Content-Type: application/x-www-form-urlencoded
+Authorization: Basic ${base64Encode(clientId:clientSecret)}
+grant_type=password&username=${username}&password={password}
+```
+
 ### Refresh Token
 
 TODO
@@ -314,8 +328,8 @@ If this behavior is undesirable for your application see the next two sections.
 If when your user logs out of your app you want to allow them to optionally log out of the OIDC service you can make use of the [OIDC Logout](http://openid.net/specs/openid-connect-session-1_0.html#RPLogout) which is defined in the OpenID Connect Session Management specification. This logout workflow works like this:
 
 1. Your application redirects the user the the OIDC Platform's logout url (with some optional parameters)
-1. The user is asked whether or not they want to log out of the OIDC Platform
-1. After choosing, the user is (optionally) redirected back to your application
+2. The user is asked whether or not they want to log out of the OIDC Platform
+3. After choosing, the user is (optionally) redirected back to your application
 
 #### Example logout url
 

From f35b9b46f62948fdbfc6387496bea13face19625 Mon Sep 17 00:00:00 2001
From: spruce-bruce <aaron@synapsestudios.com>
Date: Mon, 2 Oct 2017 11:12:15 -0700
Subject: [PATCH 4/4] using 1.

---
 docs/implementation.md | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/docs/implementation.md b/docs/implementation.md
index 3256c012..8cadbef9 100644
--- a/docs/implementation.md
+++ b/docs/implementation.md
@@ -120,10 +120,10 @@ Methods for creating users is not defined by the OpenID Connect specification. A
 The OIDC Platform provides an endpoint that will invite your user to create an account. The invite workflow looks like this:
 
 1. Your application POSTs to the invite endpoint with your new users email address (plus some more information needed to get this user back to your application)
-2. The OIDC Platform sends an email to your user with a link that allows them to click into the OIDC Platform
-3. The user follows the link and is prompted to create a password
-4. Once the user's password is created they are redirected the login screen
-5. If the user logs in they will be redirected back to your application (to the redirect_url you specified when POSTing the invite)
+1. The OIDC Platform sends an email to your user with a link that allows them to click into the OIDC Platform
+1. The user follows the link and is prompted to create a password
+1. Once the user's password is created they are redirected the login screen
+1. If the user logs in they will be redirected back to your application (to the redirect_url you specified when POSTing the invite)
 
 You will also be able to trigger reinvites for users that have not yet responded to their original invite.
 
@@ -328,8 +328,8 @@ If this behavior is undesirable for your application see the next two sections.
 If when your user logs out of your app you want to allow them to optionally log out of the OIDC service you can make use of the [OIDC Logout](http://openid.net/specs/openid-connect-session-1_0.html#RPLogout) which is defined in the OpenID Connect Session Management specification. This logout workflow works like this:
 
 1. Your application redirects the user the the OIDC Platform's logout url (with some optional parameters)
-2. The user is asked whether or not they want to log out of the OIDC Platform
-3. After choosing, the user is (optionally) redirected back to your application
+1. The user is asked whether or not they want to log out of the OIDC Platform
+1. After choosing, the user is (optionally) redirected back to your application
 
 #### Example logout url