Password grant - SSO

In a password grant use case two OAuth clients are registered with SSO. The first client may be a "native application" presenting user interfaces to the end-user. The first client may also for example be a simple command-line client or other backend application in a server-to-server integration scenario. The second client is usually a web service or resource server providing API services to the first client. 

The first client wants to get an access token for calling the resource server API services. The resource server validates the access token it receives by calling the tokeninfo service. The tokeninfo service returns claims and attributes describing the authenticated user.

Contents


Sequence diagram of password grant



Access Token Request

https://tools.ietf.org/html/rfc6749#section-4.3.2

POST /uas/oauth2/token

Required parameters

  • grant_type = password

Allowed by default

  • scope = openid <resource id …>
  • "openid"  → the token response will contain id_token
  • client_id & client_secret

Client Identifier and Secret of the client application

  • username & password

The username and password of the end-user

Sample token request
POST https://sso.example.com/uas/oauth2/token 
Authorization: Basic MTc2MjQxNDM3NDoqKio= 
Content-Type: application/x-www-form-urlencoded
grant_type=password&scope=openid&username=user1&password=***


Access Token Response

Instructions on page Authorization code grant and web single sign-on

Resource Server Request

Instructions on page Authorization code grant and web single sign-on

TokenInfo Request

Instructions on page Authorization code grant and web single sign-on

TokenInfo Response

Instructions on page Authorization code grant and web single sign-on

This web page (including any attachments) may contain confidential, proprietary, or privileged information – not for disclosure without authorization from Ubisecure Inc. Copyright © 2024. All Rights Reserved.