Question
· Sep 6, 2018

Using Caché OAuth 2.0 authorization server with password grant

I'm using Caché as an OAuth authorization server and I want to accept the password credentials grant type. I've found that if I make an authorize request, the Caché authorization server requires some URL parameters that shouldn't be required in password grant (redirect_uri, state, scope, and response_type). If I include these parameters, it calls my DirectLogin() method instead of just calling ValidateUser() as I would expect from the docs. I have two questions:

1. Why does the authorize request fail without these additional parameters?

2. If I'm using DirectLogin, do I need to customize my method to handle password grant?

For reference, here's the authorize request I'm making:

POST /oauth2/authorize
Content-type: application/x-www-form-urlencoded
grant_type=password
username=pravin
password=1234
client_id=xxxxxx
client_secret=xxxxxx
redirect_uri=xxxxxx
response_type=token
state=1234
scope=profile
Discussion (3)1
Log in or sign up to continue

Hi Pilar,
Here's an example call using password grant that works for me. You might have to change the endpoint depending on your OAuth server configuration.

POST /oauth2/token
Content-type: application/x-www-form-urlencoded
grant_type=password
username=pravin
password=1234
client_id=xxxxxx
client_secret=xxxxxx
redirect_uri=xxxxxx
response_type=token
state=1234
scope=profile

This authenticates the user and returns JSON with the access token as expected.