Overview

In the ROPC Flow, the user provides their credentials (username and password) directly to the application, which then exchanges them for an access token. This flow is only recommended for highly trusted applications, such as first-party applications.

Steps

1. The client requests a token by calling the token endpoint.

# For client authentication method set to none:
curl --location --request POST \
--url "https://$TENANT_ID.$REGION_ID.authz.cloudentity.io/$TENANT_ID/$WORKSPACE_ID/oauth2/token" \
--header "Content-Type: application/x-www-form-urlencoded" \
--data-raw "grant_type=password&client_id=$CLIENT_ID&username=$USER_NAME&password=$USER_PASSWORD"

# For client authentication method set to client secret post or basic:
curl --location --request POST \
--url "https://$TENANT_ID.$REGION_ID.authz.cloudentity.io/$TENANT_ID/$WORKSPACE_ID/oauth2/token" \
--header "Content-Type: application/x-www-form-urlencoded" \
--data-raw "grant_type=password&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&username=$USER_NAME&password=$USER_PASSWORD"
            

2. Authorization server validates user credentials.
3. Authorization server returns the access and ID tokens.
4. User gets authenticated.

Use Case

Highly trusted applications: Suitable when the application and the resource owner have a high level of trust, such as first-party applications.