How do I get an id_token for a password grant flow?

For the implicit grant I’m supposed to use response_type=token id_token to get both an access_token and an id_token.

The password grant’s request doesn’t include a response_type though, so how am I supposed to specify that I want an id_token in the response?

You need to use the scope parameter for this (i.e. scope=openid at least).

For example:

curl -X POST -H "Content-Type: application/json" -d '{
  "client_id": "...",
  "client_secret": "...",
  "audience": "",
  "scope": "openid email read:email",
  "username": "...",
  "password": "...",
  "grant_type": "",
  "realm": "Username-Password-Authentication"
}' ""

In this example, openid email are scopes requested for the id_token and read:email is for the access_token.

This is also touched upon in our documentation where it talks about “how to get a user’s claims”.