User Credentials Flow


The user credentials flow (aka, password flow) is used when the client application already has a copy of a user’s login and password, and needs to periodically obtain an access token. This is useful when a trusted application (e.g., an official mobile client) needs to perform an administrative task with a known trusted user.

Protocol


Because this flow requires a user’s login and password, it should only be used in special circumstances and in secure settings. While it’s usually possible to reset the user’s password in the case of a security breach, this is cumbersome for both the user and client application.

Here’s some example Javascript that shows how to initiate the flow.

request.post({
    url: '1.2.3.4:8080/token',
    qs:  { 'username': user_name,
           'password' : user_password,
           'client_id' : CLIENT_ID,
           'grant_type': 'password'}});

If successful, the response will be a JSON object:

{
   "access_token": "axb2y-...",
   "expires_in":3600,
   "token_type":"Bearer"
}

In the case of an error, you will receive a JSON object with a status code 400 (or above) with the following structure:

{
   "error": "invalid_refresh_token",
   "error_description": "Invalid refresh token"
}