PingOne Advanced Identity Cloud

Resource owner password credentials grant

The resource owner password credentials (ROPC) grant flow lets the client use the resource owner’s username and password to get an access token.

Because the resource owner shares their credentials with the client, this flow is deemed the most insecure of the OAuth 2.0 flows. The resource owner’s credentials can potentially be leaked or abused by the client application, and the resource owner has no control over the authorization process.

Only implement the ROPC grant flow if the resource owner has a trusted relationship with the client, such as when the client is part of the device operating system or a highly privileged application.

The ROPC grant flow

OAuth 2.0 ROPC grant flow
Figure 1. OAuth 2.0 ROPC grant flow
  1. The resource owner provides the client with their username and password.

  2. The client sends the resource owner’s and its own credentials to the authorization server, which authenticates the credentials and authorizes the resource owner’s request.

  3. If the credentials are valid, the authorization server returns an access token to the client.

  4. The client requests access to the protected resource, presenting the access token to the resource server.

  5. The resource server contacts the authorization server to validate the access token.

  6. The authorization server validates the token and responds to the resource server.

  7. If the token is valid, the resource server lets the client access the protected resource.

Demonstrate the ROPC grant flow

Perform these steps to get an access token:

Prepare the demonstration

Complete these steps to prepare the ROPC grant flow demonstration:

  1. Create an application owner profile and record the username and password.

  2. Register a client application.

    1. In the Advanced Identity Cloud admin UI, go to Applications and select + Custom Application.

    2. Select the sign-in method as OIDC - OpenId Connect and application type as Web.

    3. Create the application, providing the following details:

      Name

      myClient

      Owners

      <application-owner>

      Client ID

      myClient

      Client Secret

      forgerock

    4. Switch to the Sign On tab and under General Settings, set these fields to have the following values:

      Grant Types

      Resource Owner Password Credentials

      Sign-in URLs

      https://www.example.com:443/callback

      Scopes

      write

    5. Save your changes.

  3. Create a resource owner profile and record the username and password.

  4. Under Native Consoles > Access Management, go to Realms > Realm Name > Services > OAuth2 Provider > Advanced and check that the Grant Types field includes Resource Owner Password Credentials.

Define an ROPC journey

Configure PingOne Advanced Identity Cloud to use a journey that can authenticate a resource owner without UI-based interaction, such as the Login journey.

PingOne Advanced Identity Cloud invokes the journey that first appears in the configuration in the following order:

  • For a specific REST call to /oauth2/access_token, specify the journey as the auth_chain parameter.

  • For the realm, set the Password Grant Authentication Service property in the OAuth 2.0 provider service.

    Under Native Consoles > Access Management, go to Realms > Realm Name > Services > OAuth2 Provider > Advanced.

  • Also at the realm level, but at a lower priority, PingOne Advanced Identity Cloud uses the journey defined in the Organization Authentication Configuration property.

    Under Native Consoles > Access Management, go to Realms > Realm Name > Authentication > Settings > Core to set this property.

Get an access token using the ROPC grant flow

  1. The resource owner provides their credentials to the client. This is done outside the scope of this procedure.

  2. As the client, call /oauth2/access_token specifying the resource owner’s and the client’s credentials, and grant_type=password.

    For example:

    $ curl \
    --request POST \
    --user '<client-id>:<client-secret>' \
    --data "grant_type=password" \
    --data "username=<resource-owner-username>" \
    --data "password=<resource-owner-password>" \
    --data "scope=write" \
    'https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/access_token'

    The scope parameter is optional if default values are configured in the authorization server or the client.

    PingOne Advanced Identity Cloud returns an access token, for example:

    {
      "access_token": "<access-token>",
      "refresh_token": "<refresh-token>",
      "scope": "write",
      "token_type": "Bearer",
      "expires_in": 3599
    }

    By default, the authorization server also issues a refresh token whenever it issues access tokens.