Resource Owner Password Credentials Grant Type
Use this grant type when the resource owner has a trust relationship with the client, such as a computer operating system or a highly privileged application, because the client must discard the password after using it to obtain the access token.
The following diagram displays the Resource Owner Password Credentials Grant Type flow.
In this OAuth flow:
-
User clicks a link in the client application requesting access to protected resources.
-
The client application requests the resource owner's user name and password.
-
The user logs in with their user name and password.
-
The client application exchanges those credentials for an access token, and often a refresh token, from the Oracle Identity Cloud Service Authorization Server.
-
Oracle Identity Cloud Service Authorization Server returns the access token to the client application.
-
The client application uses the access token in an API call to obtain protected data, such as a list of users.
| Function | Available |
|---|---|
| Requires client authentication | No |
| Requires client to have knowledge of user credentials | Yes |
| Browser-based end user interaction | No |
| Can use an external Identity Provider for authentication | No |
| Refresh token is allowed | Yes |
| Access token is in the context of the end user | Yes |
See an example Resource Owner Password Grant Type authorization flow.