Password Credentials Grant
- 18 Nov 2023
- 2 Minutes to read
- Print
- DarkLight
Password Credentials Grant
- Updated on 18 Nov 2023
- 2 Minutes to read
- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
The OAuth 2.0 Password Grant Type is suitable for the client applications where the user has a trust relationship with the client, such as the device operating system or a highly privileged application. It involves the direct provision of the user's credentials to obtain an access token.
Get a token
After you've acquired the necessary authorization for your application, proceed with acquiring access tokens for APIs. To get a token by using the client credentials grant, send a POST request to the /oAuth/rest/v2/Token Agile.Now identity platform.
Access token request with user credentials
POST /oAuth/rest/v2/Token HTTP/1.1 //Line breaks for clarity
Host: login.agilenow.io:443
Content-Type: application/x-www-form-urlencoded
username=USERNAME
&password=PASSWORD
&client_id=CLIENT_ID
&client_secret=CLIENT_SECRET
&grant_type=password
| Parameter | Required/optional | Description |
|---|---|---|
| client_id | Required | The application ID that's assigned to your app. You can find this information in the portal where you registered your app. |
| client_secret | Recommended | The client secret that you generated for your app in the app registration portal. The client secret must be URL-encoded before being sent. The Basic auth pattern of instead providing credentials in the Authorization header, per RFC 6749 is also supported. |
| username | Required | The username of the platform user. john.doll@acme.com |
| password | Required | The password of the platform user. |
| grant_type | Required | Must be set to password. |
Successful response
A successful response looks like this:
{
"token_type": "Bearer",
"expires_in": 3599,
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzIBP...",
"refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA"
}
Error response
An error response (400 Bad Request) looks like this:
{
"error":"Unauthorized",
"error_description":"Invalid username or password.",
"Errors": [
"Invalid username or password."
],
"Type": "/Errors/Unauthorized",
"Title": "Unauthorized",
"StatusCode": 400,
"Instance": "/oAuth/rest/v2/Token"
}
Use a token
Use the acquired token to make requests to the resource. On token expiry, repeat the request to the /oAuth/rest/v2/Token endpoint to renew it.
OAuth 2.0 password grant type and multi-factor authentication (MFA)
It’s crucial to note that if Multi-Factor Authentication (MFA) is enabled, this flow cannot be used. MFA adds an additional layer of security by requiring two or more verification methods – something the user knows (password), something the user has (security token or phone), or something the user is (biometric verification). Since the password grant type only supports the use of username and password, it isn’t compatible with MFA, as it doesn’t support additional verification methods.
Recommendations
- Avoid password grant type: Due to its inability to support MFA and other security concerns, it’s recommended to avoid using the Password Grant Type when possible.
- Alternative Flows: Consider using alternative authorization flows like Authorization Code Grant Type, which are more secure and support MFA.
- Enhance Security: If you must use the Password Grant Type, ensure other security measures are in place to protect user credentials.
By adhering to these recommendations, you can maintain a high level of security while managing user authentication and authorization effectively.
Was this article helpful?
