Resource Owner Password Credentials Workflow
When using the resource owner password credentials grant, the user provides the credentials (user name and password) directly to the application. The application then uses the credentials to obtain an access token from the OAuth token service.
The resource owner password credentials grant is a grant workflow where the client application, together with its client identifier and secret, sends the user name and password in exchange for an access token. Instead of the user having to log in and approve the authorization request in a web interface, the user can enter the user name and password in the client application UI directly. This workflow has different security properties than other OAuth workflows. The primary difference is that the user’s password is accessible to the application. This requires a strong trust of the application by the user.
Security Properties
If the resource owner password credentials workflow is used, the application needs access to the user’s credentials only once, on first use, when the credentials are exchanged for an access token. This means that there is no requirement for the application to store these credentials within the application or on the device, and revoking access is easy as well.
Key Characteristics of the Resource Owner Password Credentials Grant
-
Is used with confidential clients.
-
Uses the user name and password of the resource owner.
-
Isn’t redirection-based; it takes a request only from the client application to the authorization server, and the user isn’t redirected between interfaces to authorize the request.