Resource owner password flow
Requirements
Confidential application types.
Sharing of resource owner credentials with client applications.
Secure storage for tokens, ClientID and ClientSecret.
Setup
Client registration in the OAuth server.
Client receives ClientID and ClientSecret.
Not regulated by OAuth.
Limitations
Resource owners need to trust on client applications.
Resource owner uses a server-based Web App
The client.
The client uses the resource server API to get a resource
The resource server requests a token.
The client asks the resource owner for authentication credentials
The client gets an access token from the OAuth server
Using its credentials (to have access permission).
Using the resource owner’s credentials.
These should be immediately discarded.
The client uses again the resource server API to get a resource
This time providing an access token.
Last updated