Resource Owner Credentials Grant

This lesson discusses Resource Owner credentials grant.

The Resource Owner password credentials grant type is used in cases where the resource owner trusts the client and is ready to share its credentials with the client. The authorization server should take special care when enabling this grant type and only allow it when other flows are not viable.

This flow was introduced to migrate existing clients using direct authentication schemes such as HTTP Basic or Digest authentication to OAuth by converting the stored credentials to an access token. Today, there is no case in which this flow should be used, as it is very insecure.

In HTTP Basic authentication, the server requests the client to present a username and password combination as part of the HTTP Basic challenge-response mechanism. With HTTP Basic Authentication, the client’s username and password are concatenated, base64-encoded, and passed in the Authorization HTTP header. The server can then authenticate this user against a user profile stored in the server’s local repository, a database, or an LDAP directory.

Get hands-on with 1200+ tech skills courses.