Issuing Tokens based on User Passwords

The password grant type is an OAuth 2.0 protocol flow for authenticating end-users at the token endpoint. It is designed for legacy applications, and it is generally recommended to use a browser-based flow instead - but in certain situation it is not feasible to change existing applications.

The password grant type is deprecated per OAuth 2.1.

Requesting a token using Password grant

First you need to add the GrantType.Password to the AllowedGrantTypes list of the client you want to use.

Then your client application would provide some means for the end-user to enter their credentials and post them to the token endpoint:

POST /token HTTP/1.1
Content-Type: application/x-www-form-urlencoded



.NET client library

On .NET you can use the IdentityModel client library to request tokens using the password grant type, e.g.:

using IdentityModel.Client;

var client = new HttpClient();

var response = await client.RequestPasswordTokenAsync(new PasswordTokenRequest
    Address = "",

    ClientId = "client",
    ClientSecret = "secret",
    Scope = "api1",

    UserName = "bob",
    Password = "password"

Validating the token request

Since this flow is not generally recommended, no standard implementation for validating the token request and user credentials is included. To add support for it you need to to implement and register an implementation of the IResourceOwnerPasswordValidator interface::

public interface IResourceOwnerPasswordValidator
    /// <summary>
    /// Validates the resource owner password credential
    /// </summary>
    /// <param name="context">The context.</param>
    Task ValidateAsync(ResourceOwnerPasswordValidationContext context);

On the context, parsed protocol parameters like UserName and Password, but also the raw request can be found.

It is the job of the validator to implement the password validation and set the Result property on the context accordingly (see the Grant Validation Result reference).