OpenId Connect support with resource owner password grant type

According to the OpenId Connect specification, It is recommended to use authorization code and implicit grant types for OpenId Connect requests. But it is not mentioned that other grant types can not be used. Therefore you can use any other grant types for OpenId Connect authentication request. Some OAuth2 Authorization server supports for password grant type to obtain the id_token. Also there can be custom grant types as mentioned here.

WSO2IS also supports for granting an id_token with password grant type, Let see how it works.
Step 1. Register an OAuth application using WSO2IS management console.

Important : If you are using WSO2 APIM, You do not need this step. Once you subscribe to application, API Store would register an OAuth subscription automatically.

You can go to service provider configuration page and register a SP application. Then can configure the OAuth in bound authentication details






Callback url can be any url  as we are only using password grant type,  it is not important.
OAuth consumer key and secret are generated for you


Step 2. Send openid connect request using password grant type. Your request would be as follows,

POST /token HTTP/1.1
 Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
 Content-Type: application/x-www-form-urlencoded


Authorization header is created with base64 encoded client id and secret values

You can use simple curl command to generate the request. Sample curl command would be as follows.

curl --user  ZTh12LlAv8gU0I32KgCbwM5ouJ4a:XQ789Q0mfPr7VSNpp_MHhz4Pkeka 
-k -d "grant_type=password&username=asela&password=asela&scope=openid" 
-H  "Content-Type: application/x-www-form-urlencoded" https://localhost:9443/oauth2/token

you will receive the id_token in the response.


You can Base64 decode the id_token and see the content of it.   Please note id_token is a JWT token and it contains the header, body and signature which are separated with the  dot (.) .   Therefore you need to properly separate each component and decode it.

Decoded sample token body would be as following


Step 3.   Retrieving user attributes.  You can retrieve the user attributes by calling /userinfo endpoint as well.  Your request would be as follows.

 GET /userinfo HTTP/1.1
 Authorization: Bearer 15d97c96afa258dcc51764d595efc8f4

Sample curl command for it

curl -k -H "Authorization: Bearer 15d97c96afa258dcc51764d595efc8f4"   https://localhost:9443/oauth2/userinfo?schema=openid

User’s attributes would be returned as json response…

"given_name":"asela","country":"United States"}

Thanks for reading…

Discuss this article on Stack Overflow


    1. It normally returns the claims that are configured under the “” claim dialect. Due some issue [1] these claim mapping must be configured with default claim dialect (which is “”) as well.


  1. How Can I get all custom dialects / claim which I configured at SP ? Only I am getting those details (values) which was part of the user schema by default.

    1. No it does not return. According to the openid connect specification, Userinfo must return above specific claim names.

  2. Hello,
    How does it supports SSO? Like how to manage the SSO when using Resource Owner password Grant flow? for Code and Implciit flow, Browser cookie is a way to go but how to handle this scenario in Resource Owner password Grant flow?

Leave a Reply

Your email address will not be published. Required fields are marked *