From f7908bb1b9018a710dc0613691bb479b4e26b4e6 Mon Sep 17 00:00:00 2001
From: Niels van Huijstee <niels.vanhuijstee@cyso.com>
Date: Tue, 13 Dec 2016 14:13:57 +0100
Subject: [PATCH] Add documentation for grant type password

---
 docs/index.rst             |  2 ++
 docs/sections/settings.rst | 17 +++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/docs/index.rst b/docs/index.rst
index cb4816a..1a15854 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -8,6 +8,7 @@ Also implements the following specifications:
 * `OpenID Connect Discovery 1.0 <https://openid.net/specs/openid-connect-discovery-1_0.html>`_
 * `OpenID Connect Session Management 1.0 <https://openid.net/specs/openid-connect-session-1_0.html>`_
 * `OAuth 2.0 for Native Apps <https://tools.ietf.org/html/draft-ietf-oauth-native-apps-01>`_
+* `OAuth 2.0 Resource Owner Password Credentials Grant <https://tools.ietf.org/html/rfc6749#section-4.3>`_
 * `Proof Key for Code Exchange by OAuth Public Clients <https://tools.ietf.org/html/rfc7636>`_
 
 --------------------------------------------------------------------------------
@@ -16,6 +17,7 @@ Before getting started there are some important things that you should know:
 
 * Despite that implementation MUST support TLS. You can make request without using SSL. There is no control on that.
 * Supports only for requesting Claims using Scope values.
+* If you enable the Resource Owner Password Credentials Grant, you MUST implement protection against brute force attacks on the token endpoint
 
 --------------------------------------------------------------------------------
 
diff --git a/docs/sections/settings.rst b/docs/sections/settings.rst
index bba57d7..2a6c85b 100644
--- a/docs/sections/settings.rst
+++ b/docs/sections/settings.rst
@@ -147,3 +147,20 @@ Example usage::
 
 .. note::
     Please **DO NOT** add extra keys or delete the existing ones in the ``claims`` dict. If you want to add extra claims to some scopes you can use the ``OIDC_EXTRA_SCOPE_CLAIMS`` setting.
+
+OIDC_GRANT_TYPE_PASSWORD_ENABLE
+===============================
+OPTIONAL. A boolean to set whether to allow the Resource Owner Password
+Credentials Grant. https://tools.ietf.org/html/rfc6749#section-4.3
+
+.. important::
+    From the specification:
+    "Since this access token request utilizes the resource owner's
+    password, the authorization server **MUST** protect the endpoint
+    against brute force attacks (e.g., using rate-limitation or
+    generating alerts)."
+
+    There are many ways to implement brute force attack prevention. We cannot
+    decide what works best for you, so you will have to implement a solution for
+    this that suits your needs.
+