If implementing the Resource Owner Password flow is your only option, you need to make direct calls to the OIDC & OAuth 2.0 API (opens new window) . See the following sections for requests required in the flow.
Request for tokens Before you can begin this flow, collect the user's password in a manner of your choosing. After you collect the credentials, all that's required is a single API call to the authorization server's /token
endpoint. If you're using the org authorization server, then your request would look something like this:
Important: The call to your authorization server's /token
endpoint requires authentication. In this case, it's a Basic Authentication digest of the client ID and secret. You can find the client ID and secret on your application's General tab. See Client Authentication Methods (opens new window) .
Note the parameters that are being passed:
grant_type
is password
, indicating that you're using the Resource Owner Password grant type. username
is the username of a user registered with Okta. password
is the password of a user registered with Okta. scope
is at least openid
. For custom scopes, see the Create Scopes section of the Create an authorization server guide . For more information on these parameters, see the OAuth 2.0 API reference (opens new window) .
If the credentials are valid, your application receives back access and ID tokens:
Validate access token When your application passes a request with an access token, the resource server needs to validate it. See Validate access tokens .