Authorization Basics

Resource Owner Password Credentials Flow

The resource owner password credentials can be used directly as an authorization grant to obtain an access token.

In a Nutshell

The resource owner password credentials as defined in the OAuth 2.0 Authorization Framework RFC6749 can be used directly as an authorization grant to obtain an access token by providing end user credentials to the authorization server by the client. The credentials should only be used when there is a high degree of trust between the resource owner and the client (e.g., the client is part of the device operating system or a highly privileged application).

[mermaid-begin]
sequenceDiagram Title: Resource Owner Password Credentials autoNumber participant user as User participant app as Application participant ce as Cloudentity tenant user->>app: Authenticate with username/password app->>ce: /oauth/token ROPC grant ce->>ce: Validate user credentials ce->>app: Access & ID token app->> user: User is authenticated

INFO

This flow can be used when redirect-based flows (like the Authorization Code Flow) are not desired and these flows must not be allowed for any third party client other than the applications that are absolutely trusted with this information.

In Depth

  1. The client requests token by calling the token endpoint.

    Read More

    Cloudentity supports multiple client authentication methods. To learn more, see the client authentication documentation.

  2. Cloudentity returns the Access and ID token.

Sample curls

  • Token request with no client authentication

    Recommended for systems with no secure backend like SPA, Mobile apps etc

    curl --location --request POST 'https://REPACE_WITH_TENANT_URL/TENANT_ID/WORKSPACE_ID/oauth2/token' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data-raw 'grant_type=password&client_id=REPLACE_WITH_CLIENT_ID&username=REPLACE_WITH_USER_NAME&password=REPLACE_WITH_USER_PASSWORD'
    
  • Token request with client authentication

    Recommended for systems with a secure backend

    curl --location --request POST 'https://REPACE_WITH_TENANT_URL/TENANT_ID/WORKSPACE_ID/oauth2/token' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data-raw 'grant_type=password&client_id=REPLACE_WITH_CLIENT_ID&client_secret=REPLACE_WITH_CLIENT_SECRET&username=REPLACE_WITH_USER_NAME&password=REPLACE_WITH_USER_PASSWORD'
    

Sample token response

{
    "access_token": "eyJhbGciOiJFUzI1NiIsImtpZCI6IjE3NzQ0MTc1MDQ1MDY2NTQxMDk0Mjk5MTI1OTEyMzk3OTczNjU1NyIsInR5cCI6IkpXVCJ9.eyJhaWQiOiJwb29sLWRlbW8td29ya3NwYWNlIiwiYW1yIjpbXSwiYXVkIjpbInBvb2wtZGVtby1yb3BnLWlkIiwic3BpZmZlOi8vcGkzMTQudXMuYXV0aHouY2xvdWRlbnRpdHkuaW8vcGkzMTQvcG9vbC1kZW1vLXdvcmtzcGFjZS9wb29sLWRlbW8td29ya3NwYWNlLXByb2ZpbGUiLCJzcGlmZmU6Ly9waTMxNC51cy5hdXRoei5jbG91ZGVudGl0eS5pby9waTMxNC9wb29sLWRlbW8td29ya3NwYWNlL3Bvb2wtZGVtby13b3Jrc3BhY2Utb2F1dGgyIl0sImV4cCI6MTY1NzYwNDgzNSwiaWF0IjoxNjU3NjAxMjM1LCJpZHAiOiJjYjZlZmJncWYzaXZqaDdjZWFuMCIsImlzcyI6Imh0dHBzOi8vcGkzMTQudXMuYXV0aHouY2xvdWRlbnRpdHkuaW8vcGkzMTQvcG9vbC1kZW1vLXdvcmtzcGFjZSIsImp0aSI6Ijc1Yzg5ZmM5LTIzYjMtNGMyNi04NjNkLTM0Y2E2MDIxNDdkYSIsIm5iZiI6MTY1NzYwMTIzNSwic2NwIjpbImVtYWlsIiwiaW50cm9zcGVjdF90b2tlbnMiLCJvcGVuaWQiLCJwcm9maWxlIiwicmV2b2tlX3Rva2VucyJdLCJzdCI6InB1YmxpYyIsInN1YiI6ImIyNjgyZDdhZWE5OTAyODc3YTk3ZGMzNjdiNTg4YTViZGUxOGMxOGJhYzcwNmU5NTFlMTdiN2I2MTRmNGY1NmEiLCJ0aWQiOiJwaTMxNCJ9.NjIThIkW4bRh-V8a29FyDQTYkDtmJZdBonHIOacR1QyMecfCVh_UXPXDuhxuzcWeYEB-cvCpkYm6p4J0gqcXdA",
    "expires_in": 3599,
    "id_token": "eyJhbGciOiJFUzI1NiIsImtpZCI6IjE3NzQ0MTc1MDQ1MDY2NTQxMDk0Mjk5MTI1OTEyMzk3OTczNjU1NyIsInR5cCI6IkpXVCJ9.eyJhbXIiOltdLCJhdF9oYXNoIjoibnp1WU50aFR3YUpIcHJ3Sk5NRWpudyIsImF1ZCI6InBvb2wtZGVtby1yb3BnLWlkIiwiYXV0aF90aW1lIjoxNjU3NjAxMjM1LCJleHAiOjE2NTc2MDQ4MzUsImlhdCI6MTY1NzYwMTIzNSwiaXNzIjoiaHR0cHM6Ly9waTMxNC51cy5hdXRoei5jbG91ZGVudGl0eS5pby9waTMxNC9wb29sLWRlbW8td29ya3NwYWNlIiwianRpIjoiZjVjODRiZmUtZDI4Ny00ZDMzLThlOGItNTk3ZTE2ZWRlODgzIiwicmF0IjoxNjU3NjAxMjM1LCJyZWZyZXNoX3Rva2VuX2V4cGlyZXNfYXQiOjE2NjAxOTMyMzUsInN1YiI6ImIyNjgyZDdhZWE5OTAyODc3YTk3ZGMzNjdiNTg4YTViZGUxOGMxOGJhYzcwNmU5NTFlMTdiN2I2MTRmNGY1NmEifQ.HKyjhXX31XS8VPuk13uywVgHuMjbrxkBSOMAWlT9MAnlFXlhXUYcMPfsENwT02Aa49xUfuqMVV7gcHyYkdCcZw",
    "scope": "email introspect_tokens openid profile revoke_tokens",
    "token_type": "bearer"
}