ROPC authentication flow

Trusted and secure applications can employ the Resource Owner Password Credentials (ROPC) Flow. This approach involves users supplying credentials (username and password) through an interactive form.

When should I use this flow? 🤔

It should be only be used with Confidential clients. It should never be used with Public Clients.

The Resource Owner Password Flow should only be utilized when redirect-based flows, such as the Authorization Code with PKCE flow, cannot be used for whatever reason.

It is crucial to note that these credentials are transmitted to the backend and may be stored for future use before being exchanged for an Access Token, underscoring the necessity for the application to be completely trustworthy with such sensitive information.

Flow

auth with ropc flow