OAuth 2.0 Resource Owner Password Grant

The Resource Owner Password grant is for issuing tokens to trusted applications in response to the submission of a user’s username and password. This flow bypasses the authorization endpoint as all tokens are returned directly from the token endpoint. The sequence for this flow is as follows:

1. The client application initiates the flow by sending credentials directly to the EmpowerID token endpoint with the required parameters. These parameters are discussed below.
2. The token endpoint returns an access token, a refresh token and an ID token (if OpenID Connect flow is indicated).

tip

You can download sample .NET framework code at https://dl1.empowerid.com/files/OAuthTestSampleCode.zip.

OAuth Discovery Endpoint

https://<EID Server>/oauth/.well-known/openid-configuration

Resource Owner Password Grant

1. Initiate a request to the EmpowerID Token endpoint, https://<EID Server>/oauth/v2/token

   POST /oauth/v2/token HTTP/1.1
   Host: <EID Server>
   Content-Type: application/x-www-form-urlencoded
   Authorization: Basic base64Encode(<username>:<password>)
   Cache-Control: no-cache
   
   client_id={The Client ID of the OAuth app you registered in EmpowerID}
   &client_secret={The Client Secret of the OAuth app you registered in EmpowerID}
   &grant_type=password
   &scope=openid

   Header Parameter	Required/Optional	Description
   Authorization	required	Base64 encoded value of the username and password of the EmpowerID Person requesting the token base64Encode(<username>:<password>)
   Content-Type	required	Must be application/x-www-form-urlencoded.

   POST Body Parameter	Required/Optional	Description
   client_id	required	Must be the EmpowerID OAuth application client identifier.
   client_secret	required	Must be the EmpowerID OAuth application client secret.
   grant_type	required	Must be password
   scope	required	A space-separated list of strings that the user consents to. Values include openid for OpenID Connect flow.

2. Returns access token and refresh token (optionally ID token) in the response

   {
     "access_token": "xxxxxxxxxxxxxxxxxxxxxx",
     "token_type": "Bearer",
     "expires_in": 3600,
     "refresh_token": "xxxxxxxxxxxxxxxxxxxxxx",
     "id_token": "xxxxxxxxxxxxxxxxxxxxxx",
     "id": "xxxxxxxxxxxxxxxxxxxxxx"
   }

Resource Owner Password Grant using .NET Client Library

1. Initialize ClientSettings by passing the client_id, client_secret, redirect_uri, token_endpoint, authorization_endpoint, tokeninfo_endpoint and userinfo_endpoint. Also initialize a new ResourceOwnerPasswordGrant by passing the clientSettings model.

   var clientSettings = new ClientSettings(
     "client_id",
     "client_secret",
     "redirect_uri",
     "https://<EID Server>/oauth/v2/token",
     "https://<EID Server>/oauth/v2/ui/authorize",
     "https://<EID Server>/oauth/v2/tokeninfo",
     "https://<EID Server>/oauth/v2/userinfo");
               
   var handler = new ResourceOwnerPasswordGrant(clientSettings);

2. Call the GetAccessToken() method to retrieve the access_token, refresh_token, and other token related information.

   AccessTokenResponseModel responseModel = null;
   try
   {
     responseModel = handler.GetAccessToken<AccessTokenResponseModel>
         (RequestMethod.POST,
         ParameterFormat.FormUrlEncoded,
         "username",
         "password",
         "openid");
   }
   catch (Exception e)
   {
     //Handle error
   }