Resource owner password flow

Requirements

  • Confidential application types.

  • Sharing of resource owner credentials with client applications.

  • Secure storage for tokens, ClientID and ClientSecret.

Setup

  • Client registration in the OAuth server.

    • Client receives ClientID and ClientSecret.

    • Not regulated by OAuth.

Limitations

  • Resource owners need to trust on client applications.

Resource owner uses a server-based Web App

  • The client.

The client uses the resource server API to get a resource

  • The resource server requests a token.

The client asks the resource owner for authentication credentials

The client gets an access token from the OAuth server

  • Using its credentials (to have access permission).

  • Using the resource owner’s credentials.

  • These should be immediately discarded.

The client uses again the resource server API to get a resource

  • This time providing an access token.

Last updated