OAuth 2.0 – Resource Owner Password Credentials grant

OAuth 2.0 - Resource Owner Password Credentials grant

Overview

The Resource Owner Password Credentials Grant (defined in RFC 6749, section 4.3) can be used directly as an authorization grant to obtain an access token, and optionally a refresh token. This grant should only be used when there is a high degree of trust between the user and the client and when other authorization flows are not available.

This grant type can eliminate the need for the client to store the user credentials for future use, by exchanging the credentials with a long-lived access token or refresh token.

How to implement the Resource Owner Password Credentials

Client's Grant Type

The client's grant type property must be to password.

Register an Identify local user

You need to create a new Identify user:

identify-admin-user

Register the Client Id and Client Secret at Identify

At the Identify connection list, we create the OAuth 2.0 protocol whose configuration settings contains the following:

  • Client ID: Specifies the unique ID of the application. Client ID is case-sensitive.
  • Client secret: Specifies the Client secret of the application. Client secret is case-sensitive.
  • Redirect URL: Specifies the redirect URL after successful authentication, e.g https://identifydomain/runtime/
  • Application name: Specifies the name of the application
  • Set the audience field of tokens which are issued for the application: Specifies the the recipients (usually in URI format) that issued access tokens are intended for.
  • Allow password flow: This setting must be True.
  • JWS algorithm: Either RSASigning or HMACSymmetric.
  • Open auto-generated HMAC button: Used to generate a HMAC Symmetric signing key; key can be 32-byte, 48-byte, or 64-byte. You can then either copy the key and paste it to the configuration or check the appropriate check box and click Select key to apply it.

identify-admin-oauth2-password

Ask for a Token

To ask Identify for tokens for any of your authorized client applications, perform a POST operation to the token endpoint:

URI parameters:

Parameter Description
client_id Your application's Client ID.
client_secret Your application's Client Secret.
grant_type This must be "password".
username The Identify username.
password The Identify user password to login to the Identify.

oauth2-token-password

The response contains a signed JSON Web Token, the token's type (which is Bearer), and in how much time it expires in Unix time (5400 seconds, which means 1.5 hours).

oauth2-token-password-response

If you decode the access_token you will see that it contains the following
claims:

FAQ

Q: I would like to include the refresh_token on the response. What can I do?

A: At the OAuth2.0 protocol connection, you can enable the setting:

identify-admin-oauth2-refreshtoken

Here is a sample for the response:

identify-admin-oauth2-password-refreshtoken

Q: I want to use the "dk:gov:saml:attribute:CprNumberIdentifier" claim type for username, not the Name claim type. What can I do?

A: Before creating the Identify user, you need to check that:

  • The "dk:gov:saml:attribute:CprNumberIdentifier" needs to be set as the Identity bearing claim on the Username & Password authentication connection.
  • At the System Setup page, you need to set the "dk:gov:saml:attribute:CprNumberIdentifier" claim type for the "OAUTH 2.0 Default Name Claim Type" setting when the "UseDefault" option is chosen for the "OAUTH 2.0 Name Claim Type Option" setting.

identify-admin-systemsetup-oauth2