Resource Owner Password Credentials

Resource Owner Password Credentials grant type

The Resource Owner Password Credentials (ROPC) grant type is used when a service wants to grant access to applications which will ask the end user for their username and password for the service.

This grant type is usually only suitable for applications that are provided by the same organization that provides the service. This is because the application needs to be trusted. User credentials for the service are received by the application and there is no way to obtain explicit user consent of requested scopes during the grant type flow.

The ROPC flow is an API only flow. It can be implemented by any application that can obtain a username and password from the user. The application maintains complete control of the user experience.

In this flow the application simply sends the username and password of the end user to the token endpoint of the Authorization Server. The Authorization Server validates the username and password and, if correct, returns an Access Token.



Jon Harry, IBM Security

What’s Next