Resource Owner Password Credentials Grant Type

When to use: When user credentials are available, and the client is trusted to store them securely.

Note:

• The Access token expiry (in seconds) is configurable and can be set at the time of generating the access token. In the preceding example, it is set to 3600 seconds ~ 1 hour. By default, the expiry is set to 3600 seconds ~ 1 hour. You can configure this to a value of your choice up to a maximum value of 31536000 seconds ~ 1 year.
• Returns access tokens. Refresh token will be generated by enabling offline_access.
• Suitable for generating user-level tokens tied to roles.

Sample code

curl --location 'https://<idcs_domain>/oauth2/v1/token' --header "Authorization: Basic $encoded" --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'grant_type=password' --data-urlencode 'username=dev-user' --data-urlencode 'password=xxxxxxxxx' --data-urlencode 'scope=urn:opc:idm:my-custom-scope%20urn:opc:resource:expiry=3600%20offline_access'

Sample code with mTLS enabled

curl --location 'https://<idcs_domain>/oauth2/v1/token' --cacert ./ca.crt --cert ./client.crt --key ./client.key --header "Authorization: Basic $encoded" --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'grant_type=password' --data-urlencode 'username=dev-user' --data-urlencode 'password=xxxxxxxxx' --data-urlencode 'scope=urn:opc:idm:my-custom-scope%20urn:opc:resource:expiry=3600%20offline_access'

Sample response

{ "access_token": "eyJraWQiOiJrZXkxIiwiYWxnIjoiUlMyNTYifQ...", "refresh_token": "bc12cde3-xxxx-xxxx-xxxx-xxxx", "token_type": "Bearer", "expires_in": 3600, }

For more details, see Resource Owner Password Credentials Grant Type.