I've been struggling over the past couple of days to wrap my head around something. I have worked with OAuth2 servers before and am familiar with all the spec grant types. But I'm working on an application where I want to use an OpenID service for user authentication to my OAuth2 server.
But the issue is I want an implicit trust with my application and my server, so somewhat like the resource owner password grant. But the issue is im not authenticating with a password I'm authenticating with OpenID provider.
So would I be stuck basically making a custom grant type to deal with this? Is there any future plans to implement such grant type in the spec? Any advice would be really appreciated as I cannot find any relevant information after searching long and hard.
Thanks
The spec has drafted the OAuth assertion flow that is basically meant for authenticating with external providers. The IETF draft can be located here
OAuth Server's that support the assertion flow are (not a complete list):