The Resource Owner Password Credentials flow allows exchanging the username and password of a user for an access token and, optionally, a refresh token. This flow has significantly different security properties than the other OAuth flows. The primary difference is that the userâs password is accessible to the application. This requires strong trust of the application by the user.
Figure 4-1 shows a step-by-step flow diagram, based on a diagram from the specification.
Because the resource ownerâs password is exposed to the application, this flow should be used sparingly. It is recommended only for first-party âofficialâ applications released by the API provider, and not opened up to wider third-party developer communities.
If a user is asked to type their password into âofficialâ applications, they may become accustomed to doing so and become vulnerable to phishing attempts by other apps. In order to mitigate this concern, developers and IT administrators should clearly educate their users how they should determine which apps are âofficialâ and which are not.
Get Getting Started with OAuth 2.0 now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
