Overview#The Resource Owner Password Credentials Grant can be used directly as an Authorization Grant to obtain an Access Token.
The credentials should only be used when there is a high degree of trust between the Resource Owner and the OAuth Client (e.g., the client is part of the device operating system or a highly privileged application), and when other authorization Grant Types are not available.
Even though this Grant Type requires direct OAuth Client access to the Resource Owner credentials, the Resource Owner credentials are used for a single request and are exchanged for an Access Token. This Grant Type can eliminate the need for the client to store the Resource Owner credentials for future use, by exchanging the credentials with a long-lived Access Token or Refresh Token.
- Convenient token renewal since a Refresh Token is provided
- Simple one-call is necessary to obtain Access Token and Refresh Token
- Resource Owner Password Credentials Grant exercises the Password Anti-Pattern which is Reduced Security
- using a base64-encoded value of client_id:Client Secret in the Authorization Header
- the Resource Owner credentials are sent as form parameters names of "username" and "password"
- grant_type=password as a form parameter.
- HTTP POST