Resource Owner Password Credentials Grant

The resource owner’s password credentials (that is, the user name and password) can be used by the OAuth client directly as an authorization grant to obtain an access token.

The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the OAuth client.

How the Resource Owner Password Credentials Grant Works

This grant type requires that the OAuth client directly uses the resource owner’s credentials, but the credentials are used only for a single request and are exchanged for an access token. This grant type eliminates the need for the OAuth client to store the resource owner’s credentials for future use. This is done by exchanging the credentials for an access token.
This is how a resource owner’s password credentials grant works:
  1. The resource owner provides its user name and password to the OAuth client.

  2. The OAuth client requests an access token from the authorization server’s token endpoint. In the request, the client includes the credentials received from the resource owner.

  3. The authorization server authenticates the OAuth client and validates the resource owner’s credentials. If the credentials are valid, then the authorization server supplies an access token.