If implementing the Resource Owner Password flow is your only option, you need to make direct calls to the OIDC & OAuth 2.0 API. See the following sections for requests required in the flow.
Request for tokens
Before you can begin this flow, collect the user's password in a manner of your choosing. After you collect the credentials, all that's required is a single API call to the authorization server's
/token endpoint. If you're using the org authorization server, then your request would look something like this:
Important: The call to your authorization server's
/token endpoint requires authentication. In this case, it's a Basic Authentication digest of the client ID and secret. You can find the client ID and secret on your application's General tab. See Client Authentication Methods.
Note the parameters that are being passed:
password, indicating that you're using the Resource Owner Password grant type.
username is the username of a user registered with Okta.
password is the password of a user registered with Okta.
scope is at least
openid. For custom scopes, see the Create Scopes section of the Create an authorization server guide.
For more information on these parameters, see the OAuth 2.0 API reference.
If the credentials are valid, your application receives back access and ID tokens:
Validate access token
When your application passes a request with an access token, the resource server needs to validate it. See Validate access tokens.