LoginRadius DocsDocs
DocumentationAPI ReferencesSDKsChangelogs
Federated SSOOAuth 2.0

OAuth 2.0 Resource Owner Password Credentials Flow

The Resource Owner Password Credentials (ROPC) flow enables a client application to directly fetch an access_token and refresh_token using the user's credentials (e.g., email, username, phone ID, and password).

Use Case

  • It is best suited for scenarios where users trust the application strongly.
  • Does not involve redirects like the Authorization Code or Implicit flows.
  • Ideal for trusted environments where the application can securely handle user credentials.

Implementation Steps

Step 1: Obtain Access Token

To fetch an access_token, make a POST request to the /token endpoint with the user credentials.

API Endpoint:

https://<siteurl>/api/oauth/{OauthAppName}/token
  • siteurl: This will be the LoginRadius IDX domain or your custom domain.
    • Example: If your LoginRadius app name is companyname, the site URL will be https://companyname.hub.loginradius.com.
    • If you are using a custom domain, replace siteurl with your custom domain.

API Method: POST

Request Body:

{
  "client_id": "<OAuth Client ID>",
  "grant_type": "password",
  "username": "<User's email/phone ID/username>",
  "password": "<User's password>",
  "response_type": "token"
}

Request Body Parameters:

ParameterRequirementDescription
client_idRequiredOAuth Client ID is provided in your LoginRadius configuration.
grant_typeRequiredIt must be set to password.
usernameRequiredUser's email, phone ID, or username, based on your LoginRadius configuration.
passwordRequiredUser's account password.
response_typeOptionalIt should be set to token.

Sample Request:

POST https://companyname.hub.loginradius.com/api/oauth/oauthappname/token
Content-Type: application/json

{
  "client_id": "your_client_id",
  "grant_type": "password",
  "username": "user@example.com",
  "password": "user_password",
  "response_type": "token"
}

API Response:

A successful response will include the following:

{
  "access_token": "<JWT Access Token>",
  "token_type": "Bearer",
  "expires_in": <seconds until expiration>,
  "refresh_token": "<Refresh Token>",
  "id_token": "<JWT ID Token>"
}

Step 2: Use the Access Token

  • The access_token obtained in Step 1 can be used with any LoginRadius API endpoint that supports access tokens.
  • Tokens remain valid until they expire or are explicitly revoked.

Important Notes

  1. Trust Factor: This flow requires the client application to handle user credentials securely. Use only in highly trusted environments.
  2. Token Expiration: Ensure to handle token expiration and refresh using the refresh_token.
  3. Security: Always use secure channels (e.g., HTTPS) when transmitting sensitive information like user credentials.

By following these steps, you can seamlessly implement the Resource Owner Password Credentials Flow in your application.

OAuth 2.0 PKCE Flow

Explore OAuth 2.0 PKCE Flow with LoginRadius for secure authentication on public clients, preventing code interception and enhancing mobile app security.

OpenID Connect

Next Page

On this page

OAuth 2.0 Resource Owner Password Credentials FlowUse CaseImplementation StepsStep 1: Obtain Access TokenStep 2: Use the Access Token