Skip to content
Duende Software Docs
We just launched Duende IdentityServer v7.2.0 and BFF v3.0. Check it out!

Issuing Tokens based on User Passwords

The password grant type is an OAuth 2.0 protocol flow for authenticating end-users at the token endpoint. It is designed for legacy applications, and it is generally recommended to use a browser-based flow instead - but in certain situation it is not feasible to change existing applications.

Requesting A Token Using Password Grant

Section titled “Requesting A Token Using Password Grant”

First you need to add the GrantType.Password to the AllowedGrantTypes list of the client you want to use.

Then your client application would provide some means for the end-user to enter their credentials and post them to the token endpoint:

POST /token HTTP/1.1
Host: demo.duendesoftware.com
Content-Type: application/x-www-form-urlencoded


client_id=client&
client_secret=secret&
grant_type=password&
username=bob&
password=password

.NET Client Library

Section titled “.NET Client Library”

On .NET you can use the IdentityModel client library to request tokens using the password grant type, e.g.:

using IdentityModel.Client;


var client = new HttpClient();


var response = await client.RequestPasswordTokenAsync(new PasswordTokenRequest
{
    Address = "https://demo.duendesoftware.com/connect/token",


    ClientId = "client",
    ClientSecret = "secret",
    Scope = "api1",


    UserName = "bob",
    Password = "password"
});

Validating The Token Request

Section titled “Validating The Token Request”

Since this flow is not generally recommended, no standard implementation for validating the token request and user credentials is included. To add support for it, you need to implement and register an implementation of the IResourceOwnerPasswordValidator interface:

public interface IResourceOwnerPasswordValidator
{
    /// <summary>
    /// Validates the resource owner password credential
    /// </summary>
    /// <param name="context">The context.</param>
    Task ValidateAsync(ResourceOwnerPasswordValidationContext context);
}

The context contains parsed protocol parameters like UserName and Password and the raw request.

It is the job of the validator to implement the password validation and set the Result property on the context accordingly (see the Grant Validation Result reference).