Legacy Patterns: The Password Grant and Migration Strategies
Understand how the legacy OAuth 2.0 password grant operates, why it poses security risks by exposing user credentials, and discover practical migration strategies to modern, secure authorization flows using Spring Security that support advanced features like multi-factor authentication.
We'll cover the following...
An authorization grant is the specific mechanism an OAuth 2.0 client uses to obtain access to a protected resource. Historically, developers relied on a variety of grants to accommodate different application architectures. Among these, the Resource Owner Password Credentials (ROPC) grant, often simply called the password grant, was widely used. However, modern security standards have deprecated this flow entirely.
In this lesson, we examine how the password grant works to help you recognize it in legacy systems, understand its inherent vulnerabilities, and identify the correct migration paths for modern Spring Security applications. We also clarify a common misconception from older architectures: access tokens are not inherently JSON Web Tokens (JWTs); they can be opaque strings or JWTs, depending entirely on the authorization server's configuration.
The mechanics of the password grant
To effectively modernize a legacy system, we must first understand how it currently operates. The password grant is a direct, two-step flow in which the user provides their actual credentials to the client application, which then acts as a middleman to obtain a token.
The client application prompts the user for their authorization credentials, typically a username and password. The client then sends these raw credentials directly to the authorization server via an HTTP POST request, along with its own client identification.
{"grant_type": "password","client_id": "legacy-mobile-app","client_secret": "legacy-secret-key","scope": "read write","username": "user123","password": "mySecurePassword"}
Line 2: The
grant_typeexplicitly tells the authorization server to expect raw user credentials.Lines 3–4: The client application authenticates itself using its registered ID and secret.
Line 5: The requested scope of access.
Lines 6–7: The raw credentials collected directly from the user interface of the client application.
If the credentials are correct, the authorization server responds with a JSON object that contains the tokens.
{"token_type": "Bearer","expires_in": 3600,"access_token": "opaque-or-jwt-access-token","refresh_token": "opaque-refresh-token"}
Line 2: The
token_typeindicates how the token should be used in subsequent requests (typically as a Bearer token in theAuthorizationheader).Line 3: The
expires_infield is an integer representing the lifespan of the access token in seconds.Lines 4–5: The server issues the access token and, optionally, a refresh token to maintain the session without prompting for the password again.
While this exchange looks simple and requires very few architectural decisions, that simplicity hides significant structural flaws. To see where this flow breaks modern security boundaries, look at how data crosses trust boundaries.
As the diagram illustrates, the immediate collection of credentials by the client is the fundamental design flaw of this legacy pattern.
Security risks and trust boundary violations
The primary purpose of OAuth 2.0 is delegated authorization. This model allows a third-party application to access resources on a user's behalf without ever seeing their actual password. The password grant actively breaks this delegation model. By requiring the user to type their username and password directly into the client application, we train users to hand their sensitive credentials to third parties. Even in first-party scenarios where your organization owns both the frontend and the backend, handling raw credentials in the client application expands your attack surface unnecessarily.
Furthermore, this flow severely limits your ability to enforce modern identity security features. Because the client application manages the login form, introducing multi-factor authentication (MFA), CAPTCHAs, or federated single sign-on (SSO) becomes complex or technically unfeasible. The authorization server has no control over the login experience, which makes the password grant a rigid and insecure choice for modern applications.
Migration strategies for modern architectures
Modern Spring Authorization Server implementations do not support the password grant out of the box, which reflects current industry best practices. When tasked with migrating an existing system off the password grant, your replacement strategy depends entirely on the type of client making the request.
The following table outlines the standard migration paths for legacy applications.
Client Type | Legacy Approach | Modern Alternative |
Web Applications (Server-side) | Password Grant | Authorization Code Grant |
Single-Page Applications (SPA) | Password Grant | Authorization Code Grant with PKCE |
Mobile Applications | Password Grant | Authorization Code Grant with PKCE |
Machine-to-Machine (Microservices) | Password Grant | Client Credentials Grant |
Input-Constrained Devices (e.g., Smart TVs) | Password Grant | Device Authorization Grant |
By adopting these modern alternatives, you ensure the authorization server retains full control over the authentication process, enabling advanced security features like MFA without changing the client code.
To confirm our understanding of these architectural shifts, let’s evaluate the core vulnerability we are designing away from.
What is the primary security vulnerability of the password grant compared to modern OAuth 2.0 flows?
It requires the authorization server to issue refresh tokens.
It requires the client application to capture and handle raw user credentials.
It prevents the use of JSON Web Tokens (JWTs).
It bypasses the resource server’s validation checks.
Understanding why the password grant fails modern security standards provides the necessary context for why modern Spring Security architectures mandate flows that safely separate authentication from the client application.