OAuth - Resource Owner Password Credentials / Password Credentials Flow



This page is about the authentication via the password credentials (ie login+password) in OAuth.

This type of authentication is known in Oauth as:

  • the Password Credentials Flow.
  • the Resource owner password credentials grant type

The resource owner password credentials is:


This sequence is adapted for the password flow but will work for all other direct flow that ask for any other type of credentials.

The Flow has a Sequence Diagram:

sequenceDiagram participant Cli as Client (App) participant RO as Resource Owner (User) participant AS as Authorization Server participant RS as Resource Server Cli->>RO: (A) Send a Authorization Request
(Present a login form) RO->>Cli: (B) Get a Authorization Grant
(Get the login/password) Cli->>AS: (C) Send the Authorization Grant AS->>Cli: (D) Get a Access Token Cli->>RS: (E) Send the Access Token RS->>Cli: (F) Get the Protected Resource


Pros and cons

The credentials should only be used when:

Even though this grant type requires direct client access to the resource owner credentials, the resource owner credentials are used for a single request and are exchanged for an access token.

This grant type can eliminate the need for the client to store the resource owner credentials for future use, by exchanging the credentials with a long-lived access token or refresh token.

Documentation / Reference

Discover More
Oauth - Authorization Grant (Resource Owner Authorization|Authorization Credentials)

An Authorization Grant is a credential representing the resource owner's authorization to access its protected resources. The flow for each type of grant is expressed using grant type: one of four...
Oauth - Flow (Abstract Protocol Flow)

The abstract OAuth 2.0 flow describes the interaction between the four roles. For each type of grant, you got a flow: Type / Flow Description Client Type (Public / Private) Direction Type Redirection...
Security - (Identity+Authenticator=Credential)

Credentials are electronic information that is used to verify an identity. They are provided by client application (ie user, browser, application) to prove their identity Credentials are also known as:...

Share this page:
Follow us:
Task Runner