Resource Owner Password Credentials

The Resource Owner Password Credentials grant type is suitable when the client is capable of collecting the resource owner's Net ID and password. Because the client_secret must be kept confidential, this grant type should only be used by clients whose source code is kept in a secured location. No browser interaction is required for this grant type. This grant type works well for testing but it should never be used in production applications. 

The flow is as follows:

 

The steps are:

  • A) The resource owner supplies his or her credentials to the client.
  • B) The client requests an access token by sending the resource owner's credentials, along with the client credentials, to the authorization server.
  • C) The authorization server validates both sets of credentials and returns an access token.
EXAMPLE FLOW USING WSO2 AND CURL

This example uses command-line curl to emulate the interaction outlined above. This example assumes that the client has been registered in API Manager, has provided a redirect_uri, and has been issued a client_id and a client_secret. It also assumes that the redirect_uri is invalid (the browser will display a 404 error when attempting to redirect to the redirect_uri).

The -k command-line option instructs curl to ignore certificates. The -v option specifies verbose mode so that we can see the response headers.

Be sure to enclose the URLs in quotation marks. Some characters within the URL are special characters in some operating systems.

A,B,C) The resource owner supplies his or her credentials to the client, which then requests an access token from the authorization server. The authorization server responds with an access token. Note that this a POST request, with the grant_type, username, and password in the body of the request. The client credentials are passed in a Basic Authentication authorization header. See the example below.

curl -k -d "grant_type=password&username=net_id&password=password" -u "client_id:client_secret" https://api.byu.edu/token
{"scope":"default","token_type":"bearer","expires_in":3600,"refresh_token":"refresh_token","access_token":"access_token"}

The access_token can now be used to request access to protected resources.

curl -v -k -H "Authorization: Bearer <access_token>" https://api.byu.edu/byuapi/personsummary/v1/bdm4