API Management versions 7.5.X and 7.6.X have reached end of support in November 2020.
Check out the latest version of the documentation.

Resource owner password credentials flow

The resource owner password credentials flow is also known as the username-password authentication flow. This flow can be used as a replacement for an existing login when the consumer already has the user's credentials.

The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client (for example, the device operating system or a highly privileged application). The authorization server should take special care when enabling this grant type, and only allow it when other flows are not viable.

This grant type is suitable for clients capable of obtaining the resource owner's credentials (username and password, typically using an interactive form). It is also used to migrate existing clients using direct authentication schemes such as HTTP basic or digest authentication to OAuth by converting the stored credentials to an access token.

Resource Owner Password Credentials Flow

Request an access token

The client token request should be sent in an HTTP POST to the token endpoint with the following parameters:

Parameter Description


Required. Must be set to password.


Required. The resource owner's user name.


Required. The resource owner's password.


Optional. The scope of the authorization.


Optional. Expected return format. The default is json. Possible values are:

  • urlencoded
  • json
  • xml

The following is an example HTTP POST  request:

POST /api/oauth/token HTTP/1.1
Content-Type:application/x-www-form-urlencoded; charset=UTF-8
Authorization:Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

Handle the response

The API Gateway validates the resource owner's credentials and authenticates the client against the Client Application Registry. An access token, and optional refresh token, is sent back to the client on success. For example, a valid response is as follows:

HTTP/1.1 200 OK

Run the sample client

The following Jython sample client sends a request to the authorization server using the resource owner password credentials flow:


To run the sample, open a shell prompt at INSTALL_DIR/samples/scripts, and execute the following command:

> run oauth/resourceowner_password_credentials.py

The script outputs the following:

Sending up access token request using grant_type set to password
Response from access token request:200
Parsing the json response
**********************ACCESS TOKEN RESPONSE***********************************
Access token received from authorization server lrGHhFhFwSmycXStIza1jjvXlSaac9
Access token type received from authorization server Bearer
Access token expiry time:3600
Now we can try access the protected resource using the access token
Executing get request on the protected url
Response from protected resource request is:200
<html>Congrats! You've hit an OAuth protected resource</html>

Related Links