Resource owner password credentials
With the resource owner password credentials feature, web clients can authorize a user using its username and password without a browser. The implementation is compatible with the resource owner password credentials (ROPC) grant as described in RFC6749.
Resource owner password credentials grant type cannot be chosen when either
Authorization code or
Implicit is configured and vice versa. Feature that require user interaction via the browser are not supported for web clients using
the ROPC. So for example consent and additional user authentication (SMS) are not available.
The Onegini Token Server supports usage of the ROPC feature in combination with a SAML ECP PAOS binding. Therefore a web client
using this feature should have a SAML identity provider configured. The
configured SAML identity provider requires a single sign on service with a
urn:oasis:names:tc:SAML:2.0:bindings:SOAP binding in its metadata. Attribute
mappings of the identity provider will be used to set the user id and other user properties.
The RFC specifies that the authorization server should protect against brute force attacks. For this protection the Onegini Token Server relies on the used identity provider.
When a scope verification service is configured, requested scopes will be
verified. In case of a verification failure a
400 Bad request response with
unauthorized_user error is returned. This error response contains a
field containing the scope validation failed uri configured for this scope. For other error responses please refer
to the RFC.