OAuth 2.0 – Resource Owner Password Credentials grant


The Resource Owner Password Credentials Grant (defined in RFC 6749, section 4.3) can be used directly as an authorization grant to obtain an access token, and optionally a refresh token. This grant should only be used when there is a high degree of trust between the user and the client and when other authorization flows are not available.

This grant type can eliminate the need for the client to store the user credentials for future use, by exchanging the credentials with a long-lived access token or refresh token.

How to implement the Resource Owner Password Credentials

Client's Grant Type

The client's grant type property must be to password.

Register an Identify local user

You need to create a new Identify user:


Register the Client Id and Client Secret at Identify

From the Safewhere Admin application list, you can create an OAuth2.0 application, then open its sub tabs and update the following:

  • On its connection tab:
    • Client ID: Specifies the unique ID of the application. Client ID is case-sensitive.
    • Client secret: Specifies the Client secret of the application. Client secret is case-sensitive.
    • Token endpoint authentication method: Specifies the client authentication method to the token endpoint.
    • Allowed Callback URIs: Specifies the redirect URL after successful authentication, e.g https://identifydomain/runtime/
    • Application name: Specifies the name of the application
    • Set the audience field of tokens which are issued for the application: Specifies the the recipients (usually in URI format) that issued access tokens are intended for.


  • On its security tab:
    • JWS algorithm: Either RSASigning or HMACSymmetric.
    • Symmetric signing key: Used to generate a HMAC Symmetric signing key; key can be 32-byte, 48-byte, or 64-byte. You can then either copy the key and paste it to the configuration or check the appropriate check box and click Select key to apply it.
    • Allow password flow: This setting must be True.


Ask for a Token

To ask Identify for tokens for any of your authorized client applications, perform a POST operation to the token endpoint:

URI parameters:

Parameter Description
client_id Your application's Client ID.
client_secret Your application's Client Secret.
grant_type This must be "password".
username The Identify username.
password The Identify user password to login to the Identify.


The response contains a signed JSON Web Token, the token's type (which is Bearer), and in how much time it expires in Unix time (3600 seconds, which means 1 hour).

If you decode the access_token, you will see that it contains the following claims:


Q: I would like to include the refresh_token on the response. What can I do?

A: you can enable the "Allow refresh token" setting at the security tab of the OAuth2.0 application connection.


Here is a sample for the response:

Q: I want to use the "dk:gov:saml:attribute:CprNumberIdentifier" claim type for username, not the Name claim type. What can I do?

A: You can follow these steps:

  • You create the Identify local user who has the value of the "dk:gov:saml:attribute:CprNumberIdentifier" claim.
  • You create a NameID transformation whose source is "dk:gov:saml:attribute:CprNumberIdentifier"
  • You apply the claim transformation to the OAuth2.0 application

Here is the sample result:

If you decode the access_token you will see that it contains the following claims: