Password Grant

Not Recommended: The password grant should only be used for first-party, trusted applications. Never allow third-party apps to use this grant.

Overview

The password grant allows applications to exchange user credentials directly for tokens. This bypasses the normal authorization flow.

When to Use

Acceptable:

First-party mobile apps (owned by same company)
Migration from legacy systems
Trusted internal tools

Never use for:

Third-party applications
Public-facing apps
Any app you don't fully trust

Token Request

POST /token

Parameters

Parameter

Required

Description

grant_type

Yes

Must be password

username

Yes

User's username or email

password

Yes

User's password

scope

Optional

Requested scopes

Example

POST /token HTTP/1.1
Host: auth.example.com
Authorization: Basic YWJjMTIzOnNlY3JldA==
Content-Type: application/x-www-form-urlencoded

grant_type=password
&username=user@example.com
&password=secret123
&scope=openid%20profile

Response

{
  "access_token": "eyJhbGciOiJSUzI1NiIs...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "dGhpcyBpcyBhIHJlZnJlc2g...",
  "scope": "openid profile"
}

Security Risks

Credential exposure - App sees user's password
No consent - User doesn't explicitly authorize scopes
Phishing risk - Encourages entering passwords in apps
MFA bypass - May skip multi-factor authentication

Configuration

To enable password grant (not recommended):

ENABLE_PASSWORD_GRANT=true
PASSWORD_GRANT_ALLOWED_CLIENTS=trusted-app-1,trusted-app-2

Migration Path

Replace password grant with proper OAuth flows:

Mobile Apps

Use Authorization Code + PKCE:

// Instead of collecting password in app
// Redirect to Authority's login page
const params = new URLSearchParams({
  response_type: 'code',
  client_id: CLIENT_ID,
  redirect_uri: REDIRECT_URI,
  scope: 'openid profile',
  code_challenge: challenge,
  code_challenge_method: 'S256'
});

// Open in-app browser
openAuthUrl(`${AUTHORITY_URL}/authorize?${params}`);

Web Applications

Use Authorization Code:

// Redirect to Authority for login
window.location = `${AUTHORITY_URL}/authorize?response_type=code&...`;

Next Steps

Authorization Code + PKCE - Recommended for mobile/SPA
Authorization Code - Recommended for web apps
Client Credentials - For machine-to-machine

PreviousLegacy Flows NextOpenID Connect

Last updated 4 days ago

Was this helpful?

hashtagOverview

hashtagWhen to Use

hashtagToken Request

hashtagParameters

hashtagExample

hashtagResponse

hashtagSecurity Risks

hashtagConfiguration

hashtagMigration Path

hashtagMobile Apps

hashtagWeb Applications

hashtagNext Steps

Overview

When to Use

Token Request

Parameters

Example

Response

Security Risks

Configuration

Migration Path

Mobile Apps

Web Applications

Next Steps