The resource owner credential grant flow requires a client to know the user credentials. To exchange the username and password for an access token, send an HTTPS POST request with the appropriate URI parameters to token endpoint base URI. The http connections are not accepted. Use HTTPS. You should retrieve the token endpoint base URI at authorization server's OpenID Metadata Endpoint.
Request Parameters
|
Parameter |
Required/Optional |
Description |
|---|---|---|
|
resourceServer |
No |
The name of the registered resource server. If this parameter is available, the authorization server uses the respective configured way to encrypt the access token. |
|
client_id |
Required |
The client application ID that is obtained at the time of the client application registration process. |
|
client_secret |
Optional |
This is optional for a native application, but mandatory for a web application. |
|
grant_type |
Required |
Specify password as the value for this parameter. |
|
username |
Required |
The user login name. |
|
password |
Required |
The user login password. |
|
scope |
Optional |
Scopes supported by the authorization server. Get scopes_supported at the authorization server's OpenID Metadata Endpoint. For the ID token, OpenID should be available in the scope. You can add multiple scope values with space separated %20 or +. |
|
acr_values |
Optional |
If a client request contains the acr_values parameter, Identity Server maps the value to configured contracts in Identity Server and executes the contract. For example, use parameter value as /name/password/uri. The contract is not sent in the ID token. Use space as delimiter to specify more than one contract URI for acr_values. In this case, Identity Server executes contracts in the sequence as specified. Any one of the contract execution success is considered as authentication success. If none of the contract succeeds, then authentication fails. |
|
Parameter |
Description |
|---|---|
|
access_token |
OAuth 2.0 access token. |
|
token_type |
The type of token returned. At this time, this is always Bearer. |
|
expires_in |
The remaining lifetime of an access token. |
|
scope |
Scopes requested. The access token allows you access to these scopes. |
|
refresh_token |
The refresh token is returned if a client application is registered for it. This token can be used to refresh the access token when it expires. |
The following is a sample request with whitespace for readability:
HTTP/1.1 POST /nidp/oauth/nam/token?
&grant_type=password
&client_id=bb775b12-bbd4-423b-83d9-647aeb98608d
&client_secret=bBbE-4mNO_kWWAnEeOL1CLTyuPhNLhHkTThA- rEckyrdLmRLn3GhnxjsKI2mEijCSlPjftxHod_05dp-uGs6wA
&username=user1
&password=pass@123
&scope=email%20profile
> User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/41.0.2228.0 Safari/537.36
> Host: www.idp.com:8443
> Accept: /
Response
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 630
{
"access_token":"/wEBAAEBACAgHkphv9NdD5khH7CLty7PpURg9RKOQ5pm6...", "token_type": "bearer",
"expires_in":3599,
"scope": "profile email"
}
NOTE:If validation errors occur, HTTP Status 400 is returned with the JSON response containing error and error_description.
The following is a sample error response with whitespace for readability:
HTTP/1.1 400 Bad Request Content-Type: application/json Content-Length: 143
{
"error":"invalid_request",
"error_description" :"OAuth Client Authentication Failure because password
parameter is missing in the request"
}
The client credentials can be exchanged for an access token. To get an access token, send an HTTPS POST request with the appropriate URI parameters to the token endpoint base URI. The http connections are not accepted. Use HTTPS. You should retrieve the token endpoint base URI at authorization server's OpenID Metadata Endpoint.
Request Parameters
|
Parameter |
Required/Optional |
Description |
|---|---|---|
|
client_id |
Required |
The client application ID, which is obtained at the time of the client application registration process. |
|
client_secret |
Optional |
The client secret is optional for a native application, but it is mandatory for a web application. |
|
grant_type |
Required |
Specify client_credentials as value for this parameter. |
Response Values
|
Parameter |
Description |
|---|---|
|
access_token |
OAuth 2.0 access token. |
|
token_type |
The type of token returned. At this time, this is always Bearer. |
|
expires_in |
The remaining lifetime of the access token. |
A sample request with whitespace for readability
HTTP/1.1 POST /nidp/oauth/nam/token?
&grant_type=client_credentials
&client_id=bb775b12-bbd4-423b-83d9-647aeb98608d
&client_secret=bBbE-4mNO_kWWAnEeOL1CLTyuPhNLhHkTThA- rEckyrdLmRLn3GhnxjsKI2mEijCSlPjftxHod_05dp-uGs6wA
&redirect_uri=https://www.oauthapp.com/oauth.php
&scope=email%20profile
> User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/41.0.2228.0 Safari/537.36
> Host: www.idp.com:8443
> Accept: /
Response
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 630
{
"access_token": "/wEBAAAAACBy4Ku4ApcxEV7er19P6nqH5HZg5J6GcY...",
"token_type": "bearer",
"expires_in":3599
}
NOTE:If validation errors occur, HTTP Status 400 is returned with the JSON response containing error and error_description.
The SAML 2.0 assertions can be exchanged for access token. The Consent page will not be shown to users for authorizing scopes. The access token allows you to access only those scopes that are previously approved by the user. To get an access token, send an HTTPS POST request with the appropriate URI parameters to the token endpoint base URI.
The HTTP connections are not accepted. Use HTTPS. You should retrieve the token endpoint base URI at authorization server's OpenID Metadata Endpoint.
Request Parameters
|
Parameter |
Required/Optional |
Description |
|---|---|---|
|
client_id |
Required |
The client application ID that is obtained at the time of the client application registration process. |
|
grant_type |
Required |
Use urn:ietf:params:oauth:grant-type:saml2-bearer as the value for this parameter. |
|
Assertion |
Required |
Use a single base64url encoded SAML2.0 Assertion as the value for this parameter. |
|
client_secret |
Optional |
The client secret value. |
|
scope |
Optional |
Scopes supported by the Authorization server. Get scopes_supported at authorization server's OpenID Metadata Endpoint. Specify multiple scope values with space separated %20 or +. |
Response Values
|
Parameter |
Description |
|---|---|
|
access_token |
OAuth 2.0 access token. |
|
token_type |
The type of token returned. At this time, this is always Bearer. |
|
expires_in |
The remaining lifetime of the access token. |
|
scope |
Requested scopes that are pre-approved by the user. |
The following is a sample request with whitespace for readability:
HTTP/1.1 POST /nidp/oauth/nam/token?
&grant_type= urn:ietf:params:oauth:grant-type:saml2-bearer
&client_id=bb775b12-bbd4-423b-83d9-647aeb98608d
&assertion=MPHnbWxv01….SY2
&scope=email%20profile
> User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/41.0.2228.0 Safari/537.36
> Host: www.idp.com:8443
> Accept: /
arul
Response
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 630
{
"access_token": "/wEBAAAAACBy4Ku4ApcxEV7er19P6nqH5HZg5J6GcY...",
"token_type": "bearer",
"expires_in":3599
}
NOTE:If validation errors occur, HTTP Status 400 is returned with the JSON response containing error and error_description.
The following is a sample error response with whitespace for readability:
HTTP/1.1 400 Bad Request Content-Type: application/json
{
"error":"invalid_grant",
"error_description":"Audience validation failed"
}