OAuth - Resource Owner Password Credentials / Password Credentials Flow

About

This page is about the authentication via the password credentials (ie login+password) in OAuth.

This type of authentication is known in Oauth as:

• the Password Credentials Flow.
• the Resource owner password credentials grant type

The resource owner password credentials is:

• used as an authorization grant
• to request directly
• and obtain an access token.

Sequence

This sequence is adapted for the password flow but will work for all other direct flow that ask for any other type of credentials.

The Flow has a Sequence Diagram:

where:

• (A) The client requests authorization from the resource owner.
• (B) The client receives an authorization grant
• (C) The client requests an access token by:
  • authenticating with the authorization server
  • and presenting the authorization grant.
• (D) The authorization server authenticates the client and validates the authorization grant, and if valid, issues an access token.
• (E) The client requests the protected resource from the resource server and authenticates by presenting the access token.
• (F) The resource server validates the access token, and if valid, serves the request.

Pros and cons

The credentials should only be used when:

• there is a high degree of trust between the resource owner (user) and the client (app) (e.g., the client is part of the device operating system or a highly privileged application)
• other authorization grant types are not available (such as an authorization code).

Even though this grant type requires direct client access to the resource owner credentials, the resource owner credentials are used for a single request and are exchanged for an access token.

This grant type can eliminate the need for the client to store the resource owner credentials for future use, by exchanging the credentials with a long-lived access token or refresh token.

Documentation / Reference

• https://tools.ietf.org/html/rfc6749#section-1.3.3