Password Flow
Warning
When using the password flow the application needs to handle user credentials and therefore should not be used with clients not trusted entirely.
You can use the Password Flow to create an access token.
We do not recommend using this flow!
Applications will need to ask the user for username(email
) and password and send them to their backend before creating an access token. It's possible that these
credentials get stored to be reused in the future. If possible use a different flow such as the Authorization Code Flow.
As pointed out in OAuth 2.0 Security Best Current Practice using the flow is not recommended and will be removed in OAuth 2.1.
Steps to perform the flow
sequenceDiagram
participant Client
participant AuthServer as Authentication Server
participant User
Client->>AuthServer: Token Request (with Username and Password)
AuthServer->>AuthServer: Validate Credentials
AuthServer-->>Client: Access Token, Refresh Token
- Application asks user to enter email and password in a form
- Application performs POST
/oauth/token
request with the following parameters:- client_id
- client_secret
- username(email)
- password
- Unidy returns access token which can be used by the application to fetch user information by calling
oauth/userinfo