diff --git a/docs/index.rst b/docs/index.rst index cb4816a..1a15854 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -8,6 +8,7 @@ Also implements the following specifications: * `OpenID Connect Discovery 1.0 `_ * `OpenID Connect Session Management 1.0 `_ * `OAuth 2.0 for Native Apps `_ +* `OAuth 2.0 Resource Owner Password Credentials Grant `_ * `Proof Key for Code Exchange by OAuth Public Clients `_ -------------------------------------------------------------------------------- @@ -16,6 +17,7 @@ Before getting started there are some important things that you should know: * Despite that implementation MUST support TLS. You can make request without using SSL. There is no control on that. * Supports only for requesting Claims using Scope values. +* If you enable the Resource Owner Password Credentials Grant, you MUST implement protection against brute force attacks on the token endpoint -------------------------------------------------------------------------------- diff --git a/docs/sections/settings.rst b/docs/sections/settings.rst index bba57d7..2a6c85b 100644 --- a/docs/sections/settings.rst +++ b/docs/sections/settings.rst @@ -147,3 +147,20 @@ Example usage:: .. note:: Please **DO NOT** add extra keys or delete the existing ones in the ``claims`` dict. If you want to add extra claims to some scopes you can use the ``OIDC_EXTRA_SCOPE_CLAIMS`` setting. + +OIDC_GRANT_TYPE_PASSWORD_ENABLE +=============================== +OPTIONAL. A boolean to set whether to allow the Resource Owner Password +Credentials Grant. https://tools.ietf.org/html/rfc6749#section-4.3 + +.. important:: + From the specification: + "Since this access token request utilizes the resource owner's + password, the authorization server **MUST** protect the endpoint + against brute force attacks (e.g., using rate-limitation or + generating alerts)." + + There are many ways to implement brute force attack prevention. We cannot + decide what works best for you, so you will have to implement a solution for + this that suits your needs. +