In a Nutshell
The resource owner password credentials as defined in the OAuth 2.0 Authorization Framework RFC6749 can be used directly as an authorization grant to obtain an access token by providing end user credentials to the authorization server by the client. The credentials should only be used when there is a high degree of trust between the resource owner and the client (e.g., the client is part of the device operating system or a highly privileged application).
INFO
This flow can be used when redirect-based flows (like the Authorization Code Flow) are not desired and these flows must not be allowed for any third party client other than the applications that are absolutely trusted with this information.
In Depth
-
The client requests token by calling the token endpoint.
Read More
Cloudentity supports multiple client authentication methods. To learn more, see the client authentication documentation.
-
Cloudentity returns the Access and ID token.
Sample curls
-
Token request with no client authentication
Recommended for systems with no secure backend like SPA, Mobile apps etc
curl --location --request POST 'https://REPACE_WITH_TENANT_URL/TENANT_ID/WORKSPACE_ID/oauth2/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-raw 'grant_type=password&client_id=REPLACE_WITH_CLIENT_ID&username=REPLACE_WITH_USER_NAME&password=REPLACE_WITH_USER_PASSWORD'
-
Token request with client authentication
Recommended for systems with a secure backend
curl --location --request POST 'https://REPACE_WITH_TENANT_URL/TENANT_ID/WORKSPACE_ID/oauth2/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-raw 'grant_type=password&client_id=REPLACE_WITH_CLIENT_ID&client_secret=REPLACE_WITH_CLIENT_SECRET&username=REPLACE_WITH_USER_NAME&password=REPLACE_WITH_USER_PASSWORD'
Sample token response
{
"access_token": "eyJhbGciOiJFUzI1NiIsImtpZCI6IjE3NzQ0MTc1MDQ1MDY2NTQxMDk0Mjk5MTI1OTEyMzk3OTczNjU1NyIsInR5cCI6IkpXVCJ9.eyJhaWQiOiJwb29sLWRlbW8td29ya3NwYWNlIiwiYW1yIjpbXSwiYXVkIjpbInBvb2wtZGVtby1yb3BnLWlkIiwic3BpZmZlOi8vcGkzMTQudXMuYXV0aHouY2xvdWRlbnRpdHkuaW8vcGkzMTQvcG9vbC1kZW1vLXdvcmtzcGFjZS9wb29sLWRlbW8td29ya3NwYWNlLXByb2ZpbGUiLCJzcGlmZmU6Ly9waTMxNC51cy5hdXRoei5jbG91ZGVudGl0eS5pby9waTMxNC9wb29sLWRlbW8td29ya3NwYWNlL3Bvb2wtZGVtby13b3Jrc3BhY2Utb2F1dGgyIl0sImV4cCI6MTY1NzYwNDgzNSwiaWF0IjoxNjU3NjAxMjM1LCJpZHAiOiJjYjZlZmJncWYzaXZqaDdjZWFuMCIsImlzcyI6Imh0dHBzOi8vcGkzMTQudXMuYXV0aHouY2xvdWRlbnRpdHkuaW8vcGkzMTQvcG9vbC1kZW1vLXdvcmtzcGFjZSIsImp0aSI6Ijc1Yzg5ZmM5LTIzYjMtNGMyNi04NjNkLTM0Y2E2MDIxNDdkYSIsIm5iZiI6MTY1NzYwMTIzNSwic2NwIjpbImVtYWlsIiwiaW50cm9zcGVjdF90b2tlbnMiLCJvcGVuaWQiLCJwcm9maWxlIiwicmV2b2tlX3Rva2VucyJdLCJzdCI6InB1YmxpYyIsInN1YiI6ImIyNjgyZDdhZWE5OTAyODc3YTk3ZGMzNjdiNTg4YTViZGUxOGMxOGJhYzcwNmU5NTFlMTdiN2I2MTRmNGY1NmEiLCJ0aWQiOiJwaTMxNCJ9.NjIThIkW4bRh-V8a29FyDQTYkDtmJZdBonHIOacR1QyMecfCVh_UXPXDuhxuzcWeYEB-cvCpkYm6p4J0gqcXdA",
"expires_in": 3599,
"id_token": "eyJhbGciOiJFUzI1NiIsImtpZCI6IjE3NzQ0MTc1MDQ1MDY2NTQxMDk0Mjk5MTI1OTEyMzk3OTczNjU1NyIsInR5cCI6IkpXVCJ9.eyJhbXIiOltdLCJhdF9oYXNoIjoibnp1WU50aFR3YUpIcHJ3Sk5NRWpudyIsImF1ZCI6InBvb2wtZGVtby1yb3BnLWlkIiwiYXV0aF90aW1lIjoxNjU3NjAxMjM1LCJleHAiOjE2NTc2MDQ4MzUsImlhdCI6MTY1NzYwMTIzNSwiaXNzIjoiaHR0cHM6Ly9waTMxNC51cy5hdXRoei5jbG91ZGVudGl0eS5pby9waTMxNC9wb29sLWRlbW8td29ya3NwYWNlIiwianRpIjoiZjVjODRiZmUtZDI4Ny00ZDMzLThlOGItNTk3ZTE2ZWRlODgzIiwicmF0IjoxNjU3NjAxMjM1LCJyZWZyZXNoX3Rva2VuX2V4cGlyZXNfYXQiOjE2NjAxOTMyMzUsInN1YiI6ImIyNjgyZDdhZWE5OTAyODc3YTk3ZGMzNjdiNTg4YTViZGUxOGMxOGJhYzcwNmU5NTFlMTdiN2I2MTRmNGY1NmEifQ.HKyjhXX31XS8VPuk13uywVgHuMjbrxkBSOMAWlT9MAnlFXlhXUYcMPfsENwT02Aa49xUfuqMVV7gcHyYkdCcZw",
"scope": "email introspect_tokens openid profile revoke_tokens",
"token_type": "bearer"
}