Merge release/v1.3.1 into master

synapsestudios · Oct 2, 2017 · d482fc0 · d482fc0
2 parents 68a826a + 0df6823
commit d482fc0
Show file tree

Hide file tree

Showing 5 changed files with 62 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,4 @@
+
+## [v1.3.1](https://github.com/synapsestudios/oidc-platform/compare/v1.3.0...release/v1.3.1) - 2017-10-2
+### Added
+- [#123](https://github.com/synapsestudios/oidc-platform/pull/123) Allow password grant type in database.
diff --git a/UPGRADE.md b/UPGRADE.md
@@ -0,0 +1 @@
+# UPGRADE
diff --git a/api/migrations/20170929205124_password-grant.js b/api/migrations/20170929205124_password-grant.js
@@ -0,0 +1,43 @@
+
+exports.up = function(knex, Promise) {
+  if (process.env.OIDC_DB_ADAPTER === 'mysql') {
+    return knex.raw(`
+      ALTER TABLE SIP_client_grant
+        CHANGE grant_type grant_type ENUM('client_credentials', 'refresh_token', 'authorization_code', 'implicit', 'password')
+    `);
+  } else {
+    return knex.raw(`
+      ALTER TABLE "public"."SIP_client_grant"
+        DROP CONSTRAINT "SIP_client_grant_grant_type_check",
+        ADD CONSTRAINT "SIP_client_grant_grant_type_check" CHECK (
+          grant_type = ANY (ARRAY[
+            'client_credentials'::text,
+            'refresh_token'::text,
+            'authorization_code'::text,
+            'implicit'::text,
+            'password'::text
+          ]));
+    `);
+  }
+};
+
+exports.down = function(knex, Promise) {
+  if (process.env.OIDC_DB_ADAPTER === 'mysql') {
+    return knex.raw(`
+      ALTER TABLE SIP_client_grant
+        CHANGE grant_type grant_type ENUM('client_credentials', 'refresh_token', 'authorization_code', 'implicit')
+    `);
+  } else {
+    return knex.raw(`
+      ALTER TABLE "public"."SIP_client_grant"
+        DROP CONSTRAINT "SIP_client_grant_grant_type_check",
+        ADD CONSTRAINT "SIP_client_grant_grant_type_check" CHECK (
+          grant_type = ANY (ARRAY[
+            'client_credentials'::text,
+            'refresh_token'::text,
+            'authorization_code'::text,
+            'implicit'::text
+          ]));
+    `);
+  }
+};
diff --git a/docs/implementation.md b/docs/implementation.md
@@ -259,6 +259,20 @@ Authorization: Basic ${base64Encode(clientId:clientSecret)}
 grant_type=client_credentials&scope=admin
 ```
 
+### Password Grant
+
+The password grant is used when an application is logging in on behalf of the user _without_ using any of the redirect workflows. This method requires your client app to collect the user's username and password and pass that along to the token endpoint which of course has security implecations. You should only use the password grant if the client app is controlled by you or is otherwise trusted. Make sure to use HTTPS to issue this request.
+
+#### Example token request
+
+```
+POST /op/token
+Host: ${providerDomain}
+Content-Type: application/x-www-form-urlencoded
+Authorization: Basic ${base64Encode(clientId:clientSecret)}
+grant_type=password&username=${username}&password={password}
+```
+
 ### Refresh Token
 
 TODO

diff --git a/oidc-provider.paw b/oidc-provider.paw