Overview

This guide presents the Resource Owner Password Credentials grant type flow. This flow is discouraged, you should consider implementing the authorization code flow or it’s Proof Key for Code Exchange (PKCE) extension.

The Resource Owner Password Credentials grant type allows an Application to get an Access Token directly by exchanging the User’s credentials (username and password) for it on Connect.

In order to implement this flow as a client, you need to complete the following steps:

Step 1: Register Provider and Application accounts

The first thing you have to do is to create a Provider account and an Application account which is associated with this Provider.

You can create multiple Application accounts and assign each account to different services or products you wish to use Connect for.

Step 2: Collect User Credentials

Note
You should take extra precaution when transmitting User Credentials to avoid exposing them to security threats.

Before requesting for an access_token, you need to create a form which collects the user’s input.

Note
Please note that there is no specific Signup (i.e. Creation of a new User) process. From Connect’s point of view, it is just a first-time Signin.

Step 3: Exchange Credentials for Access Token

Now that you have the User’s Credentials, you can get an access_token for your Application, by making the relevant request to the token endpoint.

To request an access_token, you will need to send the following to Connect:

To get a success response for the request to Connect, you need to keep the following in mind:

Warning
As the name implies, your client_secret should always stay…​ SECRET and so should the Authorization Header used for this request. It must be stored securely and you should never share it with anyone.

Workflow schema

Here is a diagram describing the authentication and the flow of communication between your Application and Connect.

Sequence diagram for Resource Owner Password flow
Table of Content