The Password grant is used when the application exchanges the user’s username and password for an access token. This is exactly the thing OAuth was created to prevent in the first place, so you should never allow third-party apps to use this grant.

A common use for this grant type is to enable password logins for your service’s own apps. Users won’t be surprised to log in to the service’s website or native application using their username and password, but third-party apps should never be allowed to ask the user for their password.

Request Parameters

The access token request will contain the following parameters.

• grant_type (required) – The grant_type parameter must be set to “password”.
• username (required) – The user’s username.
• password (required) – The user’s password.
• scope (optional) – The scope requested by the application.
• Client Authentication (required if the client was issued a secret)

If the client was issued a secret, then the client must authenticate this request. Typically the service will allow either additional request parameters client_id and client_secret, or accept the client ID and secret in the HTTP Basic auth header.

Example

The following is an example password grant the service would receive.

POST /oauth/token HTTP/1.1Host: authorization-server.com grant_type=password&username=user@example.com&password=1234luggage&client_id=xxxxxxxxxx&client_secret=xxxxxxxxxx