Skip to content

Password Flow


When using the password flow the application needs to handle user credentials and therefore should not be used with clients not trusted entirely.

You can use the Password Flow to create an access token.

We do not recommend using this flow!

Applications will need to ask the user for username(email) and password and send them to their backend before creating an access token. It's possible that these credentials get stored to be reused in the future. If possible use a different flow such as the Authorization Code Flow.

As pointed out in OAuth 2.0 Security Best Current Practice using the flow is not recommended and will be removed in OAuth 2.1.

Steps to perform the flow

    participant Client
    participant AuthServer as Authentication Server
    participant User

    Client->>AuthServer: Token Request (with Username and Password)
    AuthServer->>AuthServer: Validate Credentials
    AuthServer-->>Client: Access Token, Refresh Token
  1. Application asks user to enter email and password in a form
  2. Application performs POST /oauth/token request with the following parameters:
    • client_id
    • client_secret
    • username(email)
    • password
  3. Unidy returns access token which can be used by the application to fetch user information by calling oauth/userinfo