1. Oracle Identity Cloud Service REST APIREST API for Oracle Identity Cloud Service
  2. Managing Authorization
  3. Access Grant Types
  4. Resource Owner Password Credentials Grant Type
  5. Example Authorization Flow

Example Authorization Flow

This authorization flow example walks you through obtaining an access token by using the resource owner's (user) credentials.

When you create an application using the Resource Owner grant type in the Oracle Identity Cloud Service administration console UI:

  • Specify Trusted Application as the application type.

  • Select Resource Owner as the grant type.

  • Specify the Redirect URI, which is where responses to authentication requests are sent.

See Resource Owner Password Credentials Grant Type for more information on the Resource Owner Password Credentials grant type and an authorization flow diagram.

Authorization Flow

  1. A user clicks a link in the Web server client application, requesting access to protected resources from a third-party Web server application.

  2. The client application collects the user's user name and password and requests an access token from the Identity Cloud Service OAuth Authorization Server (AS).

    The request URL contains query parameters that indicate the type of access being requested:

    Example Request Using the Authorization Header

    curl -i
-H 'Authorization: Basic <base64Encoded clientid:secret>'
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://<IDCS-Service-Instance>.identity.oraclecloud.com/oauth2/v1/token -d 'grant_type=password&username=<user-name>&password=<password>&scope=<scope value>'

    Example Request Using the Authorization Header Including Refresh Token in the Request

    curl -i
-H 'Authorization: Basic <base64Encoded clientid:secret>'
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://<IDCS-Service-Instance>.identity.oraclecloud.com/oauth2/v1/token -d 'grant_type=password&username=<user-name>&password=<password>&scope=<Resource Server Scope>%20offline_access'

    Example Request Using a JWT Client Assertion

    curl -i
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://<IDCS-Service-Instance>.identity.oraclecloud.com/oauth2/v1/token -d 'grant_type=password&username=<user-name>&password=<password>&client_id=<client-id>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<client-assertion>&scope=<scope value>'

    Example Request Using a JWT Client Assertion Including Refresh Token in the Request

    curl -i
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://<IDCS-Service-Instance>.identity.oraclecloud.com/oauth2/v1/token -d 'grant_type=password&username=<user-name>&password=<password>&client_id=<client-id>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<client-assertion>&scope=<Resource Server Scope>%20offline_access'

  3. The Oracle Identity Cloud Service OAuth Authorization Server returns the access token. The access token contains all applicable Oracle Identity Cloud Service scopes based on the privileges represented by the Oracle Identity Cloud Service application roles granted to the requesting client application and the user being specified by the client's request (if present).

    Note:

    If a request was made for an invalid scope, an error is returned instead of the access token.

  4. The requesting site uses the access token in an API call to obtain protected data.