Password
This section describes how to procure an access token for authorization using the password as a grant type.
Access token requirements: Username, Password along with ClientID is required to get the Access Token.
Request
Request headers
| Key | Value | Description |
|---|---|---|
| Content-Type | application/x-www-form-urlencoded | Method for sending name-value pairs data to the server, such as the information you typed into a HTML form. |
HTTP request
POST https://{tenantId}.{hostname}/auth/realms/{tenantId}/protocol/openid-connect/token
note
API requests must be made over https. Calls made over plain http will fail.
Request body (*Required)
| Parameter Name | Type | Description |
|---|---|---|
| grant_type* | String | The grant type should be password. |
| username* | String | The username for which the token needs to be generated. |
| password* | String | Password corresponding to the username. |
| client_id* | String | The Client ID for which the access token is to be generated. |
| client_secret | String | Secret corresponding to the given clientID. Secret will be available only for the clients with access type selected confidential during client creation. This is an optional parameter. |
curl --location --request POST 'https://{tenantId}.{hostname}/auth/realms/{tenantId}/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=testuser' \
--data-urlencode 'password=abc123' \
--data-urlencode 'client_id=demo' \
--data-urlencode 'client_secret=4d759a23-e01d-4902-8727-98'
Response
| Parameter Name | Type | Description |
|---|---|---|
| access_token | String | The newly created access token. |
| expires_in | Integer | Validity of the access token in seconds. |
| refresh_expires_in | Integer | Validity of the refresh token in seconds. |
| refresh_token | String | The new refresh token. |
| token_type | String | Indicates access token type. |
| not-before-policy | Integer | not-before policy ensures that any tokens issued before that time become invalid. |
| session_state | Integer | The Client ID salted cryptographic hash, the root URL, and the browser state are all included in the session state value. Basically session_state value is used to monitor end user sessions. |
| scope | String | The scope requested for the token. |
Sample Response
{
"access_token": String,
"expires_in": Integer,
"refresh_expires_in": Integer,
"refresh_token": String,
"token_type": "Bearer",
"not-before-policy": 0,
"session_state": String,
"scope": String
}
Response Status Information
| Status Code | Status | Message |
|---|---|---|
| 200 | OK | OK |
| 400 | Bad Request | Unsupported grant_type |
| 400 | Bad Request | Invalid client credentials |
| 401 | Unauthorized | Invalid user credentials |
| 401 | Unauthorized | Invalid client secret |
| 404 | Not Found | Realm does not exist |