The resource owner password grant type allows requesting tokens on behalf of a user by sending the user’s name and password to the token endpoint. This is “non-interactive” authentication and is generally not recommended. There may be instances in certain legacy or first-party integration scenarios where the password grant type is useful, but the general recommendation is to use an interactive flow like implicit or auth code for user authentication.
The following is a Postman request for an Access and a Refresh Token using the Password Grant:
Parameters:Form encoded body containing the following fields with values:
client_id, client_secret, grant_type, username, password, acr_values, scope
You should see the response with the Access and Refresh Tokens with an HTTP Status Code of 200 OK. You can now use the access_token for calling the API resources (and use the refresh token to retrieve a new access and refresh token without resubmitting the user credentials).