The Password grant is used when the application exchanges the user’s username and password for an access token. This is exactly the thing OAuth was created to prevent in the first place, so you should never allow third-party apps to use this grant.
A common use for this grant type is to enable password logins for your service’s own apps. Users won’t be surprised to log in to the service’s website or native application using their username and password, but third-party apps should never be allowed to ask the user for their password.
The access token request will contain the following parameters.
grant_type(required) – The
grant_typeparameter must be set to “password”.
username(required) – The user’s username.
password(required) – The user’s password.
scope(optional) – The scope requested by the application.
- Client Authentication (required if the client was issued a secret)
If the client was issued a secret, then the client must authenticate this request. Typically the service will allow either additional request parameters
client_secret, or accept the client ID and secret in the HTTP Basic auth header.
The following is an example password grant the service would receive.
POST /oauth/token HTTP/1.1 Host: authorization-server.com grant_type=password &firstname.lastname@example.org &password=1234luggage &client_id=xxxxxxxxxx &client_secret=xxxxxxxxxx
See Access Token Response for details on the parameters to return when generating an access token or responding to errors.