Skip to main content

OAuth 2.0 Resource Owner Password Credentials Flow

The Resource Owner Password Credentials (ROPC) flow enables a client application to directly fetch an access_token and refresh_token using the user's credentials (e.g., email, username, phone ID, and password).

Use Case

  • It is best suited for scenarios where users trust the application strongly.
  • Does not involve redirects like the Authorization Code or Implicit flows.
  • Ideal for trusted environments where the application can securely handle user credentials.

Implementation Steps

Step 1: Obtain Access Token

To fetch an access_token, make a POST request to the /token endpoint with the user credentials.

API Endpoint:

https://<siteurl>/api/oauth/{OauthAppName}/token
  • siteurl: This will be the LoginRadius IDX domain or your custom domain.
    • Example: If your LoginRadius app name is companyname, the site URL will be https://companyname.hub.loginradius.com.
    • If you are using a custom domain, replace siteurl with your custom domain.

API Method: POST

Request Body:

{
  "client_id": "<OAuth Client ID>",
  "grant_type": "password",
  "username": "<User's email/phone ID/username>",
  "password": "<User's password>",
  "response_type": "token"
}

Request Body Parameters:

ParameterRequirementDescription
client_idRequiredOAuth Client ID is provided in your LoginRadius configuration.
grant_typeRequiredIt must be set to password.
usernameRequiredUser's email, phone ID, or username, based on your LoginRadius configuration.
passwordRequiredUser's account password.
response_typeOptionalIt should be set to token.

Sample Request:

POST https://companyname.hub.loginradius.com/api/oauth/oauthappname/token
Content-Type: application/json

{
  "client_id": "your_client_id",
  "grant_type": "password",
  "username": "[email protected]",
  "password": "user_password",
  "response_type": "token"
}

API Response:

A successful response will include the following:

{
  "access_token": "<JWT Access Token>",
  "token_type": "Bearer",
  "expires_in": <seconds until expiration>,
  "refresh_token": "<Refresh Token>",
  "id_token": "<JWT ID Token>"
}

Step 2: Use the Access Token

  • The access_token obtained in Step 1 can be used with any LoginRadius API endpoint that supports access tokens.
  • Tokens remain valid until they expire or are explicitly revoked.

Important Notes

  1. Trust Factor: This flow requires the client application to handle user credentials securely. Use only in highly trusted environments.
  2. Token Expiration: Ensure to handle token expiration and refresh using the refresh_token.
  3. Security: Always use secure channels (e.g., HTTPS) when transmitting sensitive information like user credentials.

By following these steps, you can seamlessly implement the Resource Owner Password Credentials Flow in your application.