See openid-connect Menu

Resource Owner Password Grant


Use this API to authenticate a given user’s username and password. It makes use of the OpenID password grant and upon success will create a session and return an access token.

Note that the access token returned is different to the access token generated via the OAuth 2.0 Tokens API. Therefore it can not be used to authorize API calls against other endpoints such as Users or Events.

Resource URL

https://<subdomain>.onelogin.com/oidc/2/token

Header Parameter

Authorization

required

string

Set to Basic <base64 encoded "clientId:clientSecret">.

The client_id and client_secret are generated when you configure your OpenId Connect app in OneLogin.

e.g. Using Node.js this would be

new Buffer(`${client_id}:${client_secret}`).toString('base64');

Content-Type

required

string

application/x-www-form-urlencoded

Resource Parameter

subdomain

required

string

Set to the subdomain of your OneLogin instance.

e.g. oidc-sample where the instance is https://oidc-sample.onelogin.com

Request Parameter

grant_type

required

string

Set to “password”

client_id

required

string

The OneLogin generated Client ID for your OpenID Connect app.

username

required

string

The username for a given user

password

required

string

The password for a given user

scope

required

string

Requires at least “openid”. Add “profile” and/or “email” to get additional user information returned in the id_token and User Info endpoint.

You must supply the offline_access scope if you wish to obtain a Refresh Token.

resource

string

Optional. When API Authorization is configured, specify the API Resource Identifier here to generate a customized Access Token that can be used for authorizing access to apis and api gateways.

e.g. resource=https://api.example.com/contacts

Sample Request Body

username=rich&password=password&client_id=ba88ac70-1234-0135-527a&grant_type=password&scope=openid

Sample Response

{
    "access_token": "NWE4Nzg2ZDEtNzQyMS00ZDViLThjMjctMGQwNjlmZjU5MWNkBGjFElT7CWzl0d....",
    "expires_in": 3600,
    "token_type": "Bearer",
    "refresh_token": "897987AGBEtNzQyMS00ZDViLThjMjctMGQwNjlmZjU5MWNkBGjFElT7CWzl0d...."
}

Probably an invalid client_id

{
    "error": "invalid_request",
    "error_description": "Resource not found"
}

The grant_type MUST be set to password

{
    "error": "unsupported_grant_type",
    "error_description": "unsupported grant_type requested (xxxx)"
}

The authorization header is invalid

{
    "error": "invalid_request",
    "error_description": "invalid authorization header value format"
}
{
    "error": "invalid_request",
    "error_description": "Authentication Failed"
}
{
    "error": "invalid_request",
    "error_description": "Authentication Failed: Invalid user credentials"
}
{
    "error": "invalid_request",
    "error_description": "MFA is required for this user"
}
{
    "error": "invalid_request",
    "error_description": "User is locked. Access is unauthorized"
}
{
    "error": "invalid_request",
    "error_description": "User is suspended. Access is unauthorized"
}
{
    "error": "invalid_request",
    "error_description": "Password expired"
}
{
    "error": "invalid_request",
    "error_description": "Access is unauthorized"
}

Response Elements

access_token A JSON Web Token (JWT) that represents the session that has just been created for the user.

For example the body of the JWT contains:

{
  "jti": "s0r5Z9z6LTJPs2xP2sipi",
  "iss": "https://acme.onelogin.com/oidc/2",
  "iat": 1534812736,
  "exp": 1534813336,
  "aud": "9a6d6350-2af8-0136-197b-06acc76d34b492920"
}
expires_in The number of seconds until the session expires. This timeout can be configured by setting the Access Token Timeout period in your OpenId Connect app via the OneLogin portal.
token_type The type of access token. Always set to “Bearer”
refresh_token Only returned if a Refresh Token Timeout period has specified in your OpenId Connect app settings via the OneLogin portal.

Sample Code

cURL

Replace sample values indicated by < > with your actual values.

curl -XPOST "https://<subdomain>.onelogin.com/oidc/2/token" \
-H "Authorization: Basic <base64 encoded client_id:client_secret>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=password&username=<username>&password=<password>&client_id=<client_id>&scope=openid"

Postman Collection

Run In Postman

    Clicking Run in Postman button navigates to the page where you can fork the collection to your workspace. Forking the collection into your workspace will enable you to contribute to the source collection using pull requests. You can also view the collection in a public workspace if you like and even import a copy of the collection using the links present on the screen.

Have a Question?

Found a problem or a bug? Submit a support ticket.

Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.

Have a product idea or request? Share it with us in our Ideas Portal.