search

Resource owner password flow

hashtag
Requirements

  • Confidential application types.

  • Sharing of resource owner credentials with client applications.

  • Secure storage for tokens, ClientID and ClientSecret.

hashtag
Setup

  • Client registration in the OAuth server.

    • Client receives ClientID and ClientSecret.

    • Not regulated by OAuth.

hashtag
Limitations

  • Resource owners need to trust on client applications.

hashtag
Resource owner uses a server-based Web App

  • The client.

hashtag
The client uses the resource server API to get a resource

  • The resource server requests a token.

hashtag
The client asks the resource owner for authentication credentials

hashtag
The client gets an access token from the OAuth server

  • Using its credentials (to have access permission).

  • Using the resource owner’s credentials.

  • These should be immediately discarded.

hashtag
The client uses again the resource server API to get a resource

  • This time providing an access token.

Last updated