3

The need of OAuth arose because we wanted to give access of some of our resources at the Resource Server (for example my Name/Email at Facebook) to the 3rd party apps. This justifies various grant-types.

But for the "password" grant-type, the specification says this type is suitable in cases where the resource owner has a trust relationship with the client.

My question is what is the need of adding more complication if we can manage the trusted app with username/password?

The only relevant thing I can find at the spec is:

It is also used to migrate existing clients using direct authentication schemes such as HTTP Basic or Digest authentication to OAuth by converting the stored credentials to an access token.

If this is the only reason, how would I get affected if I use direct authentication with "trusted-apps"?

Improve this question

1 Answer 1

Reset to default
4

First thing is that we should try to avoid password grant type as much as possible. But the reason why it is there is because it is better than storing the password.

Reasons: Password grant doesn't need user to store his/her username password in the client. It is used only once only to get the access token.

  1. Storing only the token is secure than storing the password in an external application (mobile aps, server side apps etc)
  2. If user changes the password at the IDP, then app will again have to ask the user to enter his new password. This is not a good user experience. But in password grant-type, app can use the refresh token even when the user has changed the password.
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.