Resource owner password flow

Requirements

Confidential application types.
Sharing of resource owner credentials with client applications.
Secure storage for tokens, ClientID and ClientSecret.

Setup

Client registration in the OAuth server.
- Client receives ClientID and ClientSecret.
- Not regulated by OAuth.

Limitations

Resource owners need to trust on client applications.

Resource owner uses a server-based Web App

The client.

The client uses the resource server API to get a resource

The resource server requests a token.

The client asks the resource owner for authentication credentials

The client gets an access token from the OAuth server

Using its credentials (to have access permission).
Using the resource owner’s credentials.
These should be immediately discarded.

The client uses again the resource server API to get a resource

This time providing an access token.

PreviousImplicit flow NextClient credentials flow

Last updated 8 months ago