welcome

We are glad to welcome you to our website

The client should avoid making assumptions about value sizes. The authorization server should take special care when enabling this grant type and only allow it when other flows are not viable. This grant type is suitable for clients capable of obtaining the resource owner's credentials (username and password, typically using an interactive form). It is also used to migrate existing clients using direct authentication schemes such as HTTP Basic or Digest authentication to OAuth by converting the stored credentials to an access token.

Authorization Request and Response The method through which the client obtains the resource owner credentials is beyond the scope of this specification. The client MUST discard the credentials once an access token has been obtained. Value MUST be set to "password". The resource owner username. The resource owner password. Since this access token request utilizes the resource owner's password, the authorization server MUST protect the endpoint against brute force attacks (e.

If the request failed client authentication or is invalid, the authorization server returns an error response as described in Section 5. Client Credentials Grant The client can request an access token using only its client credentials (or other supported means of authentication) when the client is requesting access to the protected resources under its control, or those of another resource owner that have been previously arranged with the authorization server (the method of which is beyond the scope of this specification).

Authorization Request and Response Since the client authentication is used as the authorization grant, no additional authorization request is needed. The client MUST authenticate with the authorization server as described in Section 3. Access Token Response If the access token request is valid and authorized, the authorization server issues an access token as described in Section 5.

A refresh token SHOULD NOT be included. Issuing an Access Token If the access token request is valid and authorized, the authorization server issues an access token and optional refresh token as described in Section 5.

The refresh token, which can be used to obtain new access tokens using the same authorization grant as described in Section 6. The parameters are serialized into a JavaScript Object Notation (JSON) structure by adding each parameter at the highest structure level. Parameter names and string values are included as JSON strings. Numerical values are included as JSON numbers. The order of parameters does not matter and can vary. The sizes of tokens and other values received from the authorization server are left undefined.

Error Response The authorization server responds with an HTTP 400 (Bad Request) status code (unless specified otherwise) and includes the following parameters with the response: error REQUIRED. The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the "Authorization" request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the "WWW-Authenticate" response header field matching the authentication scheme used by the client.

The parameters are serialized into a JSON structure by adding each parameter at the highest structure level. The refresh token issued to the client.

The requested scope MUST NOT include any scope not originally granted by the resource owner, and if omitted is treated as equal to the scope originally granted by the resource owner.

Because refresh tokens are typically long-lasting credentials used to request additional access tokens, the refresh token is bound to the client to which it was issued. If valid and authorized, the authorization server issues an access token as described in Section 5. If the request failed verification or is invalid, the authorization server returns an error response as described in Section 5. The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it with the new refresh token.

The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client. If a new refresh token is issued, the refresh token scope MUST be identical to that of the refresh token included by the client in the request. Accessing Protected Resources The client accesses protected resources by presenting the access token to the resource server. The resource server MUST validate the access token and ensure that it has not expired and that its scope covers the requested resource.

The methods used by the resource server to validate the access token (as well as any error responses) are beyond the scope of this specification but generally involve an interaction or coordination between the resource server and the authorization server.

The method in which the client utilizes the access token to authenticate with the resource server depends on the type of access token issued by the authorization server. Access Token Types The access token type provides the client with the information required to successfully utilize the access token to make a protected resource request (along with type-specific attributes). The client MUST NOT use an access token if it does not understand the token type.

It also defines the HTTP authentication method used to include the access token when making a protected resource request. Error Response If a resource access request fails, the resource server SHOULD inform the client of the error. While the specifics of such error responses are beyond the scope of this specification, this document establishes a common registry in Section 11.

New authentication schemes designed primarily for OAuth token authentication SHOULD define a mechanism for providing an error status code to the client, in which the error values allowed are registered in the error registry established by this specification. If the error code is returned using a named parameter, the parameter name SHOULD be "error". Other schemes capable of being used for OAuth token authentication, but not primarily designed for that purpose, MAY bind their error values to the registry in the same manner.

Defining Access Token Types Access token types can be defined in one of two ways: registered in the Access Token Types registry (following the procedures in Section 11.

Types utilizing a URI name SHOULD be limited to vendor-specific implementations that are not commonly applicable, and are specific to the implementation details of the resource server where they are used. All other types MUST be registered. Type names MUST conform to the type-name ABNF.

The token type "example" is reserved for use in examples. Defining New Endpoint Parameters New request or response parameters for use with the authorization endpoint or the token endpoint are defined and registered in the OAuth Parameters registry following the procedure in Section 11. Parameter names MUST conform to the param-name ABNF, and parameter values syntax MUST be well-defined (e.

If the extension grant type requires additional token endpoint parameters, they MUST be registered in the OAuth Parameters registry as described by Section 11. Defining New Authorization Endpoint Response Types New response types for use with the authorization endpoint are defined and registered in the Authorization Endpoint Response Types registry following the procedure in Section 11. Response type names MUST conform to the response-type ABNF.

Only one order of values can be registered, which covers all other arrangements of the same set of values. For example, the response type "token code" is left undefined by this specification. However, an extension can define and register the "token code" response type. Once registered, the same combination cannot be registered as "code token", but both values can be used to denote the same response type.

Defining Additional Error Codes In cases where protocol extensions (i.