OAuth 2 Password grant - AngularBuildUp/angular-microworkshops-authorization GitHub Wiki

There are two kinds of credential flows, one is client credentials and the other is resource owner password credentials (or ROPC). Using the ROPC flow, the credentials (i.e. username and password) of a resource owner (i.e. user) can be exchanged for an access token in one request.

Consider using this grant type when nothing else is available and if that’s the case, always use HTTP over transport-layer security (TLS), so risks like man-in-the-middle attacks can be mitigated. Remember, when this grant type is used, username and password are included in the request, so in a non-secure HTTP scenario, an attacker can easily steal user’s credentials.

The authorization request

The request for token should be in a specific format when using the ROPC flow and should contain the following parameters in the request body. Note that the request is a POST and the body should be in x-www-form-urlencoded format. All are required, except of the scope parameter.

• username. The resource owner username.
• password. The resource owner password.
• grant_type. Discriminates the grant type used. For ROPC is “password”.
• scope (optional). Defines the scope of the authorization request.
• client_id. The issued client Id.
• client_secret. The issued client secret.

The last two (client_id & client_secret) should only be used when the client is secured and has issued a secret by the authorization server. When that’s the case, these two are required as well.