OAuth 2.0 - Resource Owner Password Credentials grant
NOTE: Resource Owner Password Credentials Grant will be deprecated in OAuth 2.1. Please think twice before using this.
The Resource Owner Password Credentials Grant (defined in RFC 6749, section 4.3) can be used directly as an authorization grant to obtain an access token, and optionally a refresh token. This grant should only be used when there is a high degree of trust between the user and the client and when other authorization flows are not available.
This grant type can eliminate the need for the client to store the user credentials for future use, by exchanging the credentials with a long-lived access token or refresh token.
How to implement the Resource Owner Password Credentials
Client's Grant Type
The client's grant type property must be to password.
Register an Identify local user
You need to create a new Identify user:
Register the Client Id and Client Secret at Identify
At the Identify connection list, we create the OAuth 2.0 protocol whose configuration settings contains the following:
- Client ID: Specifies the unique ID of the application. Client ID is case-sensitive.
- Client secret: Specifies the Client secret of the application. Client secret is case-sensitive.
- Redirect URL: Specifies the redirect URL after successful authentication, e.g https://identifydomain/runtime/
- Application name: Specifies the name of the application
- Set the audience field of tokens which are issued for the application: Specifies the the recipients (usually in URI format) that issued access tokens are intended for.
- Allow password flow: This setting must be True.
- JWS algorithm: Either RSASigning or HMACSymmetric.
- Open auto-generated HMAC button: Used to generate a HMAC Symmetric signing key; key can be 32-byte, 48-byte, or 64-byte. You can then either copy the key and paste it to the configuration or check the appropriate check box and click Select key to apply it.
Ask for a Token
To ask Identify for tokens for any of your authorized client applications, perform a POST operation to the token endpoint:
|client_id||Your application's Client ID.|
|client_secret||Your application's Client Secret.|
|grant_type||This must be "password".|
|username||The Identify username.|
|password||The Identify user password to login to the Identify.|
The response contains a signed JSON Web Token, the token's type (which is Bearer), and in how much time it expires in Unix time (5400 seconds, which means 1.5 hours).
If you decode the access_token you will see that it contains the following
Q: I would like to include the refresh_token on the response. What can I do?
A: At the OAuth2.0 protocol connection, you can enable the setting:
Here is a sample for the response:
Q: I want to use the "dk:gov:saml:attribute:CprNumberIdentifier" claim type for username, not the Name claim type. What can I do?
A: Before creating the Identify user, you need to check that:
- The "dk:gov:saml:attribute:CprNumberIdentifier" needs to be set as the Identity bearing claim on the Username & Password authentication connection.
- At the System Setup page, you need to set the "dk:gov:saml:attribute:CprNumberIdentifier" claim type for the "OAUTH 2.0 Default Name Claim Type" setting when the "UseDefault" option is chosen for the "OAUTH 2.0 Name Claim Type Option" setting.