---
title: ResourceOwnerOAuth2ClientFilter
description: This filter uses the Resource Owner Password Credentials grant type. According to information in the The OAuth 2.0 Authorization Framework, minimize use of this grant type and utilize other grant types whenever possible. Use this filter in a service-to-service context, where services need to access resources protected by OAuth 2.0.
component: pinggateway
version: 2026
page_id: pinggateway:reference:ResourceOwnerOAuth2ClientFilter
canonical_url: https://docs.pingidentity.com/pinggateway/2026/reference/ResourceOwnerOAuth2ClientFilter.html
revdate: 2025-08-13T11:08:28Z
section_ids:
  ClientCredentialResourceOwnerOAuth2ClientFilter-usage: Usage
  ResourceOwnerOAuth2ClientFilter-properties: Properties
  ResourceOwnerOAuth2ClientFilter-example: Examples
  ResourceOwnerOAuth2ClientFilter-moreinfo: More information
---

# ResourceOwnerOAuth2ClientFilter

|   |                                                                                                                                                                                                                                                                                                                                                                                                               |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | This filter uses the *Resource Owner Password Credentials* grant type. According to information in the [The OAuth 2.0 Authorization Framework](https://datatracker.ietf.org/doc/html/rfc6749#section-10.7), minimize use of this grant type and utilize other grant types whenever possible. Use this filter in a service-to-service context, where services need to access resources protected by OAuth 2.0. |

Authenticates OAuth 2.0 clients by using the resource owner's OAuth 2.0 credentials to obtain an access token from an Authorization Server, and injecting the access token into the inbound request as a Bearer Authorization header.

Client authentication is provided by the `endpointHandler` property, which uses a client authentication filter.

The ResourceOwnerOAuth2ClientFilter refreshes the access token as required.

For more information, refer to [RFC 6749 - Resource Owner Password Grant](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3).

## Usage

```json
{
  "name": string,
  "type": "ResourceOwnerOAuth2ClientFilter",
  "config": {
    "username": configuration expression<string>,
    "passwordSecretId": configuration expression<secret-id>,
    "secretsProvider": SecretsProvider reference,
    "tokenEndpoint": configuration expression<url>,
    "scopes": [ configuration expression<string>, ... ],
    "endpointHandler": Handler reference
  }
}
```

## Properties

* `"username"`: *configuration expression<[string](preface.html#definition-string)>, required*

  The resource owner username to supply during authentication.

* `"passwordSecretId"`: *configuration expression<[secret-id](preface.html#definition-secretid)>, required*

  The secret ID to obtain the resource owner password.

  This secret ID must point to a [GenericSecret](../security-guide/keys.html#secret-types).

* `"secretsProvider"`: *SecretsProvider [reference](preface.html#definition-reference), required*

  The [SecretsProvider](SecretsProvider.html) to query for passwords and cryptographic keys.

- `"tokenEndpoint"`: *configuration expression<[url](preface.html#definition-url)>, required*

  The URL to the Authorization Server's OAuth 2.0 token endpoint.

- `"scopes"`: *array of configuration expression<[strings](preface.html#definition-string)>, optional*

  Array of scope strings to request from the Authorization Server.

  Default: Empty, request no scopes.

- `"endpointHandler"`: *Handler [reference](preface.html#definition-reference), optional*

  The Handler to exchange tokens on the authorization endpoint.

  Configure this property as a [Chain](Chain.html), using one of the following client authentication filters:

  * [ClientSecretBasicAuthenticationFilter](ClientSecretBasicAuthenticationFilter.html)

  * [ClientSecretPostAuthenticationFilter](ClientSecretPostAuthenticationFilter.html)

  * [PrivateKeyJwtClientAuthenticationFilter](PrivateKeyJwtClientAuthenticationFilter.html)

  ```json
  {
    "name": "myHandler",
    "type": "Chain",
    "config": {
      "handler": "ForgeRockClientHandler",
      "filters": [
        {
          "type": "ClientSecretBasicAuthenticationFilter",
          "config": {
            "clientId": "myConfidentialClient",
            "clientSecretId": "my.client.secret.id",
            "secretsProvider" : "mySystemAndEnvSecretStore"
          }
        }
      ]
    }
  }
  ```

  Default: [ForgeRockClientHandler](ForgeRockClientHandler.html)

## Examples

For an example, refer to [Resource owner password credentials grant with PingAM](../gateway-guide/oauth2-resourceowner.html).

## More information

[org.forgerock.openig.filter.oauth2.client.ResourceOwnerOAuth2ClientFilterHeaplet](../_attachments/apidocs/org/forgerock/openig/filter/oauth2/client/ResourceOwnerOAuth2ClientFilterHeaplet.html)

[org.forgerock.openig.filter.oauth2.OAuth2ResourceServerFilterHeaplet](../_attachments/apidocs/org/forgerock/openig/filter/oauth2/OAuth2ResourceServerFilterHeaplet.html)

[OAuth2ResourceServerFilter](OAuth2ResourceServerFilter.html)

[The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749)

[The OAuth 2.0 Authorization Framework: Bearer Token Usage](https://www.rfc-editor.org/rfc/rfc6750)