In a password grant use case two OAuth clients are registered with SSO. The first client may be a "native application" presenting user interfaces to the end-user. The first client may also for example be a simple command-line client or other backend application in a server-to-server integration scenario. The second client is usually a web service or resource server providing API services to the first client. 

The first client wants to get an access token for calling the resource server API services. The resource server validates the access token it receives by calling the tokeninfo service. The tokeninfo service returns claims and attributes describing the authenticated user.

https://tools.ietf.org/html/rfc6749#section-4.3.2

Required parameters

• grant_type = password

Allowed by default

• scope = openid <resource id …>

• "openid"  → the token response will contain id_token

• "<resource id …>" → Client Identifiers (client_id) of other OAuth 2.0 clients acting as a resource servers. The clients specified here are allowed to use the returned access token.

  • For clients registered using the Client Registration and Activation endpoint, their client_id is returned in the Registration Response.

  • By default, the client_id of the client making the token request is always implicitly included in the scope parameter. This means that the client making the token request is allowed use the access token itself, even if their client_id is not included in the scope parameter.

• client_id & client_secret

• username & password

Instructions on page Authorization code grant and web single sign-on

Instructions on page Authorization code grant and web single sign-on

Instructions on page Authorization code grant and web single sign-on

Instructions on page Authorization code grant and web single sign-on