Use the Resource Owner Password flow

Before you can begin this flow, collect the user's password in a manner of your choosing. After you collect the credentials, all that is required is a single API call to the Authorization Server's /token endpoint. If you are using the default Custom Authorization Server, then your request would look something like this:

curl --request POST \
  --url https://${yourOktaDomain}/oauth2/default/v1/token \
  --header 'accept: application/json' \
  --header 'authorization: Basic MG9hYn...' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data 'grant_type=password&username=testuser1%40example.com&password=%7CmCovrlnU9oZU4qWGrhQSM%3Dyd&scope=openid'

Important: The call to your Authorization Server's /token endpoint requires authentication. In this case, it is a Basic Auth digest of the Client ID and secret. You can find the Client ID and secret on your application's General tab. See Client Authentication Methods.

Note the parameters that are being passed:

  • grant_type is password, indicating that we are using the Resource Owner Password grant type.
  • username is the username of a user registered with Okta.
  • password is the password of a user registered with Okta.
  • scope must be at least openid. See the Create Scopes section of the Create an Authorization Server guide.

For more information on these parameters, see the OAuth 2.0 API reference.

If the credentials are valid, your application receives back access and ID tokens:

{
    "access_token": "eyJhb[...]56Rg",
    "expires_in": 3600,
    "id_token": "eyJhb[...]yosFQ",
    "scope": "openid",
    "token_type": "Bearer"
}