If implementing the Resource Owner Password flow is your only option, you need to make direct calls to Okta's OIDC & OAuth 2.0 API. See the following sections for requests required in the flow.
Request for tokens
Before you can begin this flow, collect the user's password in a manner of your choosing. After you collect the credentials, all that is required is a single API call to the authorization server's /token
endpoint. If you are using the default custom authorization server, then your request would look something like this:
Important: The call to your authorization server's /token
endpoint requires authentication. In this case, it is a Basic Auth digest of the client ID and secret. You can find the client ID and secret on your application's General tab. See Client Authentication Methods.
Note the parameters that are being passed:
grant_type
is password
, indicating that we are using the Resource Owner Password grant type. username
is the username of a user registered with Okta. password
is the password of a user registered with Okta. scope
must be at least openid
. See the Create Scopes section of the Create an authorization server guide.
For more information on these parameters, see the OAuth 2.0 API reference.
If the credentials are valid, your application receives back access and ID tokens:
Validate access token
When your application passes a request with an access token, the resource server needs to validate it. See Validate access tokens.