Skip to Main Content
Getting Started with OAuth 2.0
book

Getting Started with OAuth 2.0

by Ryan Boyd
February 2012
Beginner to intermediate content levelBeginner to intermediate
78 pages
2h 13m
English
O'Reilly Media, Inc.
Content preview from Getting Started with OAuth 2.0

Chapter 4. Resource Owner Password Flow

The Resource Owner Password Credentials flow allows exchanging the username and password of a user for an access token and, optionally, a refresh token. This flow has significantly different security properties than the other OAuth flows. The primary difference is that the user’s password is accessible to the application. This requires strong trust of the application by the user.

Figure 4-1 shows a step-by-step flow diagram, based on a diagram from the specification.

Resource Owner Password flow: Step-by-step

Figure 4-1. Resource Owner Password flow: Step-by-step

When Should the Resource Owner Password Flow Be Used?

Because the resource owner’s password is exposed to the application, this flow should be used sparingly. It is recommended only for first-party “official” applications released by the API provider, and not opened up to wider third-party developer communities.

If a user is asked to type their password into “official” applications, they may become accustomed to doing so and become vulnerable to phishing attempts by other apps. In order to mitigate this concern, developers and IT administrators should clearly educate their users how they should determine which apps are “official” and which are not.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Start your free trial

You might also like

OAuth 2 in Action

OAuth 2 in Action

Justin Richer, Antonio Sanso
Mastering OAuth 2.0

Mastering OAuth 2.0

Charles Bihis

Publisher Resources

ISBN: 9781449317843Errata PageSupplemental Content