Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

OneWelcome Identity Platform
- Explore Thales Docs

IDAAS core
User journey orchestration
Consent and preference management
Delegated user management
- Getting started
- Roles
- Rules
- User management
- Self service page
- Data
- APIs
- Apps
- Jobs
- Reports
Externalized authorization
Identity broker
Mobile identity
Mobile SDK
API references
Release notes and FAQ
Integrations

All

All

Web clients

Resource owner password credentials

IDAAS core
Tenants and brands
Identity store and data model
SCIM API
- SCIM schemas
- SCIM user management
- SCIM user attributes
- SCIM API versions
Credential store
- Email address management
- Password management
- Password migration
Tokens
- Access tokens
- ID tokens
- Refresh tokens
- Access token API
- Token introspection API
Authentication
- Client authentication methods
- Step-up authentication
- Custom authenticators
- Authentication FAQ
Custom registration
- Custom registration examples
- QR registration example
- Stateless custom registration
- Custom registration API v1
- Custom registration v2
- Back-channel communication API
OAuth 2.0 and OpenID Connect
- OAuth 2.0 and OpenID Connect API
- Proof Key for Code Exchange
- Dynamic client registration API
- OAuth client authentication methods
- Device flow
- OAuth OIDC error handling
- OAuth 2.0 and OpenID Connect setup
- OpenID Connect
- OpenID Connect authentication
- OpenID Connect scopes and claims
- User claims and attributes
- OpenID provider configuration
- ID token encryption
- iFrame session monitoring
  - Relying party iFrame
  - End session API
  - Session management APIs
- Relying party examples
- OAuth endpoints
- Discovery API
- JSON Web Key Set API
- User information API
- OAuth configuration
- OAuth consent API
Web clients
- Web clients API
- Migration of web clients with hashed secrets
- Resource owner password credentials
Web hooks
- Web hooks configuration API
API rules
Notification API
Event store
- Audit events
- Audit log
- Events API
- Excluded events
- Security events
Securing resources
User session API
User management
Uniquely identify guests
Email overview

Was this document helpful? Yes No

Feedback Sent!

If you like, you can provide additional feedback.

OneWelcome Identity Platform
IDAAS core
Web clients
Resource owner password credentials

Resource owner password credentials

Warning

The resource owner password credentials (ROPC) grant type is deprecated and are no longer considered secure for most scenarios. ROPC directly handles usernames and passwords, which could increase the risk of security vulnerabilities. We strongly recommend migrating to custom registration flows, which provide enhanced security features and better align with current best practices in identity management. Additionally, it's imperative to restrict the use of the ROPC flow solely to private clients capable of securely holding a secret. Failure to protect this secret renders the token endpoint vulnerable to credential stuffing attacks.

The resource owner password credentials grant type cannot be chosen when either the authorization code or device code type is configured and vice-versa.

Features that require user interaction via the browser are not supported for web clients using ROPC. So, for example, consent and additional user authentication methods (such as SMS) are not available.

The ROPC feature works with the SAML ECP PAOS binding and allows integration with the IDAAS-core proprietary API using the resource owner password credentials integration. Therefore, a web client using this feature has two authentication options:

SAML ECP PAOS Binding: The web client should be configured with a SAML identity provider in this case. The configured SAML identity provider requires a single sign-on service with the urn:oasis:names:tc:SAML:2.0:bindings:SOAP binding in its metadata. Attribute mappings of the identity provider are used to set the user ID and other user properties.
IDAAS-core proprietary API: The web client can use the OneWelcome Identity Platform identity provider with the resource owner password credentials integration. This integration allows communication with the public OneWelcome Identity Platform API for authentication using the username and password for the ROPC flow.

The RFC specifies that the authorization server should protect against brute force attacks. For this protection, the OneWelcome Identity Platform relies on the identity provider that is used.

When a scope verification service is configured, the requested scopes are verified. If there is a verification failure, a 400 Bad request response with an unauthorized_user error is returned. This error response contains an error_uri field containing the scope validation failed URI configured for this scope.

For other error responses, refer to the RFC.

On this page

OneWelcome Identity Platform

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Support Contacts
Legal
- End User License Agreement
- Terms of Service

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com