Reputation: 1
How to reuse passwords with OAuth2
I have an applications that uses the users login password for multiple purposes aside from authentication. The password is only used on the client side (in javascript) and never transmitted to the server outside of authentication.
Now I want to add an option for authentication vis SSO (OpenID Connect).
Normaly the password would never be seen by the Web App (or the browser session) when using oauth however.
I want to reuse the password entered on the SSO service within the browser session of my own application. To be clear, the browser session on my own application needs to see the password. It is never transmitted to the server. (Alternatively I could also add a workaround to use a hash of the password instead)
How do I archive this in a secure manner?
OAuth2 does support the "Password Grant" that would allow the client application to collect the credentials itself and sent it to the SSO service, but this is marked legacy and therefore not an option. Iframes would also come to mind as a workaround but that seems even more like a hack.
Upvotes: 0
Views: 14
Answers (0)
Related Questions
- How is OAuth 2 different from OAuth 1?
- Single sign-on flow using JWT for cross domain authentication
- Why is there an "Authorization Code" flow in OAuth2 when "Implicit" flow works so well?
- OAuth2 based SSO
- SPA best practices for authentication and session management
- SSO with CAS or OAuth?
- OAuth2 Password Grant vs OpenID Connect
- OAuth2: Resource Owner OpenID Grant?