Caution
The documentation you are viewing is for an older version of this component.
Switch to the latest (v3) version.
Grant
Password
This use case allows authentication to an API using the user's credentials (generally a username and password). The typical scenario includes a "Login" web page that captures a username and password combination that is used to authenticate against a first-party API. Password grant is only appropriate for trusted clients. If you build your own website as a client of your API, then this is a great way to handle logging in.
The client sends a POST request with following parameters:
grant_type= password.client_idwith the client’s ID.client_secretwith the client’s secret.scopewith a space-delimited list of requested scope permissions.usernamewith the user’s username.passwordwith the user’s password.
The authorization server responds with a JSON as follows:
{
"token_type" : "Bearer",
"expires_in" : "3600",
"refresh_token" : "YWYwNjhmNmZmMDhmZjkyOGJj...",
"access_token" : "eyJ0eXAiOiJKV1Q..."
}The token_type is the type of generated token (Bearer). The expires_in is an
integer representing the TTL (in seconds) of the access token. The
refresh_token a token that can be used to refresh the access_token when
expired. The access_token contains a JWT signed with the authorization
server’s private key. This token must be used in the Authorization request
HTTP header.
