WSO2 IS 5.3.0:
UseCase: Register a Service Provider for OpenID Connect with code, implicit and password grant types. In addition "Enable Authorization" is activated which basically limits the access to the Relying Party via a role based XACML policy.
It works fine for code and implicit flows as they go via the front channel (browser). The policy does not get evaluated when using password flow. Is that by design or is that a bug?
