I am looking to create a brand new authentication service that follows the OpenId connect protocol. I would like to use a username/password combination for the authentication and the authorization grant, I'm curious what the downsides are of adding the username/password to the Authorization Endpoint.
If I understand the OpenId Connect protocol, the Authorization Endpoint would start a session, track the clientId and other information from the URL, then bring the user to a login page where they could enter their credentials and after they have submitted their information, the session would process the login, verify the clientId/other information and redirect the user to the callback URL on success.
Ideally, I would like to avoid tracking a session and serve a SPA that asks for users' credentials, then pulls the client id and other information from the URL. then combines that information with the client's crediantals. and passes everything to the Authorization Endpoint in one request, and assuming successful validation/authentication in the service, redirects the user to the callback URL.
What am I overlooking? I don't see this method documented anywhere. and I'm having trouble finding issues with this idea.
