Skip to content

Resource Owner Password Credentials flow (ROPC)

There are some instances where an integration needs to perform an authentication without rendering a browser dialogue but still gets an access token associated with the identity of an end user. In these cases, Resource Owner Password Credentials Flow (ROPC) offers a way to do this.

POST https://<SYSTEM_URL>/auth/realms/<NAMESPACE>/protocol/openid-connect/token

grant_type: Denotes the use of Client Credential Flow. Should use the value “password“

scope: Should be set to “openid microprofile-jwt“

client_id: The Client ID of the IFS IAM client

client_secret: The Client secret of the IFS IAM client

username: The username of the end user which is to be associated with the access token.

password: The password of the end user which is to be associated with the access token.

Sample token endpoint request in resource owner password credentials flow

The client application will get a response in the following format for the above token endpoint request:

{
    "access_token": "<NEW_ACCESS_TOKEN>",
    "expires_in": 180,
    "refresh_expires_in": 1800,
    "refresh_token": "<NEW_REFRESH_TOKEN>",
    "token_type": "Bearer",
    "id_token": "<NEW_ID_TOKEN>",
    "not-before-policy": 0,
    "session_state": "<SESSION_STATE>",
    "scope": "openid audience microprofile-jwt email profile"
}

The access_token element is extracted and used as the bearer token to access the IFS Cloud backend APIs and the refresh_token can be used to refresh access tokens as they expire.

The below illustration shows a high-level view of the client credentials and ROPC flows: