Resource Owner Password Credentials flow (ROPC)¶
There are some instances where an integration needs to perform an authentication without rendering a browser dialogue but still gets an access token associated with the identity of an end user. In these cases, Resource Owner Password Credentials Flow (ROPC) offers a way to do this.
POST https://<SYSTEM_URL>/auth/realms/<NAMESPACE>/protocol/openid-connect/token
grant_type: Denotes the use of Client Credential Flow. Should use the value “password“
scope: Should be set to “openid microprofile-jwt“
client_id: The Client ID of the IFS IAM client
client_secret: The Client secret of the IFS IAM client
username: The username of the end user which is to be associated with the access token.
password: The password of the end user which is to be associated with the access token.
Sample token endpoint request in resource owner password credentials flow
The client application will get a response in the following format for the above token endpoint request:
{
"access_token": "<NEW_ACCESS_TOKEN>",
"expires_in": 180,
"refresh_expires_in": 1800,
"refresh_token": "<NEW_REFRESH_TOKEN>",
"token_type": "Bearer",
"id_token": "<NEW_ID_TOKEN>",
"not-before-policy": 0,
"session_state": "<SESSION_STATE>",
"scope": "openid audience microprofile-jwt email profile"
}
The access_token element is extracted and used as the bearer token to access the IFS Cloud backend APIs and the refresh_token can be used to refresh access tokens as they expire.
The below illustration shows a high-level view of the client credentials and ROPC flows: