Eric Chiang

Rewording this issue. By popular demand, we're going to explore supporting the [_"Resource Owner Password Credentials Grant"_](https://tools.ietf.org/html/rfc6749#section-4.3) for password based login methods (local users, and LDAP). This grant allows OAuth2...

> Agreed this is a cleaner approach. How do you plan to handle backwards compatibility? Or do you plan to continue to allow expansion where it exists now. * Don't...

Can we do #1272 instead?

I think the crux of the issue is "prevent unauthenticated users from creating too much backend state." Rate limiting would be good, but overall we probably want to tie the...

I bet there's a way we can get away from storing state until we know a user's authenticated by using a cookie. The naive way would be to serialize the...

In addition, if someone has allowed the public flow AND hasn't added a specific CORs profile, we should just default to a basic CORs profile that makes public flows work....

This is blocked on https://github.com/coreos/dex/issues/863 Since so many providers implement refresh tokens differently, we don't actually re-query the upstream provider when a dex client refresh its token. So we don't...

Groups are much more likely to change dynamically. I'm not saying that it's good that we don't update the other claims, but we definitely want to address this before expanding...

Yeah, going to re-open for tracking this issue. Thanks for opening and sorry we don't have a better answer today.

Plugin's are going to have the same pain as we update interfaces or deploy new versions of Go (https://github.com/golang/go/issues/17832). I don't get why this deployment strategy is better than forking...