OAuth Resource Owner Password Credentials Flow

OAuth Resource Owner Password Credentials Flow

develop

The OAuth Resource Owner Password Credentials Flow in Detail

Resource Owner Password Credentials Flow Overview

The Resource Owner Password Credentials flow is a server to server flow. The user is authenticated by the client passing the username and password in the request. This is an anti-pattern and the flow only exists to provide an outlet for applications that need to be migrated to use OAuth protected APIs, but cannot be re-written.

Legacy flow

The ROPC flow only exist to support legacy applications. Do not use in new development.

Token Endpoint

Client Credentials Flow

  1. The Client makes a POST request to the OAuth Server
  2. The OAuth Server issues the tokens immediately and responds to the client

User Authentication

The user is authenticated in the token request. The Client passes the username and password to the token endpoint. There is no other way to authenticate the user, and multi-factor authentication is not supported by the flow.

Client Authentication

The client authenticates in the Token part of the flow. Client authentication can be done in many ways, the most common being client secret. The following authentication mechanisms are supported in Curity:

  • No authentication (public client)
  • Secret in post body
  • Secret using basic Authentication
  • Client Assertion JWT
  • Mutual TLS (mTLS) client certificate

The Access Token

The Access Token is returned by the token endpoint. It is the token that later can be used to call the API and gain access. It is a Bearer token, and must not be sent to untrusted parties. The access token usually have a lifetime of 5-30 minutes.

The Refresh Token

The Refresh Token is issued if the client is configured to have refresh tokens. This token can be used to obtain more access tokens once the first one expires. The refresh token may have a very long lifetime, ranging from hours to years.

The Token Endpoint

Request Parameters

  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Response Type: json
ParameterValueMandatoryDescription
client_idThe Client IDyesThe ID of the requesting client
client_secretThe client secretyes*The secret of the client. *Mandatory if client authentication is of type secret, and the authentication is not done using basic authentication
grant_typepasswordyesTells the token endpoint to do perform the resource owner password credential flow.
scopeSpace separated string of scopesnoList the scopes the client is requesting access to.
usernamethe usernameyesThe username of the resource owner
passwordthe user passwordyesThe password of the resource owner

Response

  • Response Type: application/json
ParameterValueMandatoryDescription
access_tokenA newly issued access tokenyesThe resulting access token for the flow
refresh_tokenA newly issued refresh tokennoOnly issued if the client is configured to receive refresh tokens
expires_inExpiration in secondsyesThe time to live of the access token in seconds
scopeSpace separated stringnoIf not present the requested scopes where issued. If present the issued scopes may differ from the requested scopes.
token_typeBearer or other token typeyesDescribes how the token can be used. Most commonly Bearer token usage.
Was this page helpful?