Resource owner password credentials

With the resource owner password credentials feature, web clients can authorize a user using its username and password without a browser. The implementation is compatible with the resource owner password credentials (ROPC) grant as described in RFC6749.

The Resource owner password credentials grant type cannot be chosen when either Authorization code or Implicit is configured and vice versa. Feature that require user interaction via the browser are not supported for web clients using the ROPC. So for example consent and additional user authentication (SMS) are not available.

The Onegini Token Server supports usage of the ROPC feature in combination with a SAML ECP PAOS binding. Therefore a web client using this feature should have a SAML identity provider configured. The configured SAML identity provider requires a single sign on service with a urn:oasis:names:tc:SAML:2.0:bindings:SOAP binding in its metadata. Attribute mappings of the identity provider will be used to set the user id and other user properties.

The RFC specifies that the authorization server should protect against brute force attacks. For this protection the Onegini Token Server relies on the used identity provider.

When a scope verification service is configured, requested scopes will be verified. In case of a verification failure a 400 Bad request response with unauthorized_user error is returned. This error response contains a error_uri field containing the scope validation failed uri configured for this scope. For other error responses please refer to the RFC.