OAuth - Resource Owner Password Credentials / Password Credentials Flow
About
This page is about the authentication via the password credentials (ie login+password) in OAuth.
This type of authentication is known in Oauth as:
the
Password Credentials Flow.
the
Resource owner password credentials grant type
The resource owner password credentials is:
Sequence
This sequence is adapted for the password flow but will work for all other direct flow that ask for any other type of credentials.
The Flow has a Sequence Diagram:
sequenceDiagram
participant Cli as Client (App)
participant RO as Resource Owner (User)
participant AS as Authorization Server
participant RS as Resource Server
Cli->>RO: (A) Send a Authorization Request
(Present a login form)
RO->>Cli: (B) Get a Authorization Grant
(Get the login/password)
Cli->>AS: (C) Send the Authorization Grant
AS->>Cli: (D) Get a Access Token
Cli->>RS: (E) Send the Access Token
RS->>Cli: (F) Get the Protected Resource
where:
Pros and cons
The credentials should only be used when:
there is a high degree of trust between the
resource owner (user) and the
client (app) (e.g., the client is part of the device operating system or a highly privileged application)
-
Even though this grant type requires direct client access to the resource owner credentials, the resource owner credentials are used
for a single request and are exchanged for an access token.
This grant type can eliminate the need for the client to store the resource owner credentials for future use, by exchanging the credentials with a long-lived access token or refresh token.
Documentation / Reference