⚠️ It is not recommended to use the password flow due to the inherent risks of collecting and storing user password on a client application.
Password grant type is an OAuth 2.0 protocol flow for authenticating users, and is designed for legacy applications. We recommend Authorization Code flow for retrieving user tokens if possible, this ensures that no access tokens are sent to the browser.
If you are writing a native or single-page applications that can not store a client_secret securely we recommend Authorization Code with PKCE.
Requesting tokens with password flow is done by sending a users credentials to the POST /connect/token endpoint. The request body requires a client_id, a grant_type equal to password, and the users credentials.
POST https://id.aritma.io/{tenant}/connect/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
client_id=YOUR_CLIENT_ID&
client_secret=YOUR_CLIENT_SECRET&
grant_type=password&
username=USERNAME&
password=PASSWORDResponse
HTTP/1.1 200 OK
Content-Type: application/json
{
"access_token":"eyJz93a...k4laUWw",
"refresh_token":"GEbRxBN...edjnXbL",
"id_token":"eyJ0XAi...4faeEoQ",
"token_type":"Bearer",
"expires_in":86400
}| Parameter | Description |
|---|---|
| grant_type (required) | Denotes the flow you are using. For Authorization Code, use password. |
| client_id (required) | Your application's Client ID. |
| client_secret (required) | Your application's Client Secret. |
| username (required) | The username of the user. |
| password | The password for the user. |