This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
Resource Owner Password Credentials Grant
- Former user (Deleted)
- Former user (Deleted)
Recommended use
The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client (e.g., a service’s own mobile client) and in situations where client can obtain the resource owner’s credentials. This grant type can be used in situations where a client application is unable to handle browser redirections.
The flow
Instead of redirecting the user to the authorization server, the client itself will ask the user for the resource owner's username and password. The client will then send these credentials to the authorisation server along with the client’s own credentials.
Support for refresh token grant - Yes
The cURL commands below can be used to try this grant type.
curl -v -X POST -H "Authorization: Basic <base64 encoded client id:client secret value>" -k -d "grant_type=password&username=<username>&password=<password>" -H "Content-Type:application/x-www-form-urlencoded" https://localhost:9443/oauth2/token
curl -u <client id>:<client secret> -k -d "grant_type=password&username=<username>&password=<password>" -H "Content-Type:application/x-www-form-urlencoded" https://localhost:9443/oauth2/token
You will receive a response similiar to the format below.
{"token_type":"Bearer","expires_in":2510,"refresh_token":"5ba3dedc77581df5f84f9b228eef0b91","access_token":"ca19a540f544777860e44e75f605d927"}
- See the Try Password Grant topic to try out a sample of the resource owner password credentials grant with WSO2 Identity Server and WSO2 OAuth2 Playground.