Resource Owner Password Credentials

Resource Owner Password Credentials is a legacy OAuth grant where the client collects a user's username and password and exchanges them directly for tokens.

Prerequisites

• A trusted first-party client
• Explicit server-side grant enablement
• A clear migration plan toward Authorization Code + PKCE

When to Use

Use this flow only for legacy or internal scenarios where redirect-based login is not possible. New browser, mobile, and public-client integrations should use Authorization Code Flow with PKCE.

Request Shape

curl -X POST https://localhost:5001/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=password&client_id=legacy-client&username=user@example.com&password=replace-with-real-password"

Common Pitfalls

• Treating password grant as the default integration option.
• Using password grant from browser-based applications.
• Forgetting that this flow gives the client direct access to user credentials.

Troubleshooting

• If the request is rejected, verify that the client is allowed to use this grant.
• If discovery metadata does not advertise this grant, treat that as intentional guidance for new integrations.