Show / Hide Table of Contents

    OAuth 2.0 - Resource Owner Password Credentials grant

    Overview

    NOTE: Resource Owner Password Credentials Grant will be deprecated in OAuth 2.1. Please think twice before using this.
    

    The Resource Owner Password Credentials Grant (defined in RFC 6749, section 4.3) can be used directly as an authorization grant to obtain an access token, and optionally a refresh token. This grant should only be used when there is a high degree of trust between the user and the client and when other authorization flows are not available.

    This grant type can eliminate the need for the client to store the user credentials for future use, by exchanging the credentials with a long-lived access token or refresh token.

    oauth2-password-diagram-happy-case

    How to implement the Resource Owner Password Credentials

    Client's Grant Type

    The client's grant type property must be to password.

    Register an Identify local user

    You need to create a new Identify user:

    swadmin-user

    From the Safewhere Admin application list, you can create an OAuth 2.0 application, then open its sub tabs and update the following:

    • On its connection tab:
      • Client ID: Specifies the unique ID of the application. Client ID is case-sensitive.
      • Client secret: Specifies the Client secret of the application. Client secret is case-sensitive.
      • Token endpoint authentication method: Specifies the client authentication method to the token endpoint.
      • Allowed Callback URIs: Specifies the redirect URL after successful authentication, e.g https://identifydomain/runtime/
      • Application name: Specifies the name of the application
      • Security token audiences: Specifies the recipients (usually in URI format) that issued access tokens are intended for. When the resource parameter is missing, an access token is issued with its 'aud' claim set to all configured audiences.

    swadmin-oauth2-password-connection

    • On its security tab:
      • JWS algorithm: Either RSASigning or HMACSymmetric.
      • Symmetric signing key: Used to generate a HMAC Symmetric signing key; key can be 32-byte, 48-byte, or 64-byte. You can then either copy the key and paste it to the configuration or check the appropriate check box and click Select key to apply it.
      • Allow password flow: This setting must be True.

    setting

    • Client ID: specifies the unique ID of the application. Client ID is case-sensitive.
    • client secret: specifies the client secret of the application. Client secret is case-sensitive.
    • Token endpoint authentication method: specifies the client authentication method to the token endpoint.
    • Allowed Callback URIs: specifies the redirect URL after successful authentication, e.g. https://identifydomain/runtime/
    • Application name: specifies the name of the application
    • Security token audiences: Specifies the recipients (usually in URI format) that issued access tokens are intended for. When the resource parameter is missing, access tokens are issued for all configured audiences.

    swadmin-oauth2-password-connection

    • Security tab:

      • JWS algorithm: either RSASigning or HMACSymmetric.
      • Symmetric signing key: used to generate a HMAC Symmetric signing key; key can be 32-byte, 48-byte, or 64-byte. You can then either copy the key and paste it to the configuration or check the appropriate check box and click Select key to apply it.
      • Allow password flow: this setting must be True.

    setting

    Ask for a token

    To ask Identify for tokens for any of your authorized client applications, perform a POST operation to the token endpoint:

    https://#identifydomain/runtime/oauth2/token.idp
    

    URI parameters:

    Parameter Description
    client_id Your application's client ID
    client_secret Your application's client secret
    grant_type This must be "password"
    username The Identify username
    password The Identify user password to login to the Identify

    setting

    The response contains a signed JSON Web Token, the token's type (which is Bearer), and in how much time it expires in Unix time (3600 seconds, which means 1 hour).

    {
        "scope": "identify*empty",
        "token_type": "Bearer",
        "access_token": "eyJhbGciO...R1FVrH5g",
        "expires_in": 3600
    }
    

    If you decode the access_token, you will see that it contains the following claims:

    {
      "unique_name": "identifyuser1",
      "sub": "identifyuser1",
      "name": "identifyuser1",
      "urn:internal:userid": "f60756f6-3f8f-4723-ad52-123456",
      "token_usage": "access_token",
      "jti": "2b94a884-1cef-4f2b-8f3f-123456",
      "scope": "identify*empty",
      "aud": "https://idp.safewhere.local/runtime/",
      "azp": "client_connect_sample_id1",
      "iat": 1590374925,
      "nbf": 1590374925,
      "exp": 1590378525,
      "iss": "https://idp.safewhere.local/runtime/oauth2"
    }
    

    FAQ

    Q: I would like to include the refresh_token on the response. What can I do?

    A: you can enable the "Allow refresh token" setting at the security tab of the OAuth 2.0 application connection.

    swadmin-oauth2-password-security-refreshtoken

    Here is a sample for the response:

    {
        "scope": "offline_access",
        "token_type": "Bearer",
        "access_token": "eyJhbGciO...zn9LGXg",
        "expires_in": 3600,
        "refresh_token": "CfDJ8KrDPV...1UdTBDln4s"
    }
    
    

    Q: I want to use the "dk:gov:saml:attribute:CprNumberIdentifier" claim type for username, not the Name claim type. What can I do?

    A: You can follow these steps:

    • You create the Identify local user who has the value of the "dk:gov:saml:attribute:CprNumberIdentifier" claim.
    • You create a NameID transformation whose source is "dk:gov:saml:attribute:CprNumberIdentifier"
    • You apply the claim transformation to the OAuth 2.0 application

    Here is the sample result:

    {
        "scope": "identify*empty",
        "token_type": "Bearer",
        "access_token": "eyJhbGci...dhPSxfhNVg",
        "expires_in": 3600
    }
    
    

    If you decode the access_token you will see that it contains the following claims:

    {
      "unique_name": "admin",
      "sub": "12345678",
      "dk:gov:saml:attribute:CprNumberIdentifier": "12345678",
      "urn:anyid:role": "HelloAngel",
      "urn:identify:rest-api:role": "HelloAngel",
      "name": "12345678",
      "urn:internal:userid": "ca7b48ac-830f-4126-bdc2-123456",
      "token_usage": "access_token",
      "jti": "e4f0625a-f57a-43b1-8b77-12123",
      "scope": "identify*empty",
      "aud": "https://idp.safewhere.local/runtime/",
      "azp": "client_connect_sample_id1",
      "iat": 1590389355,
      "nbf": 1590389355,
      "exp": 1590392955,
      "iss": "https://idp.safewhere.local/runtime/oauth2"
    }
    
    Back to top Generated by DocFX