See openid-connect Menu

Resource Owner Password Grant


Upgrade Available

There is a more recent version of this OpenId Connect API available. Learn more.

Use this API to authenticate a given user’s username and password. It makes use of the OpenID password grant and upon success will create a session and return an access token.

Note that the access token returned is different to the access token generated via the OAuth 2.0 Tokens API. Therefore it can not be used to authorize API calls against other endpoints such as Users or Events.

Resource URL

https://<region>.onelogin.com/oidc/token

Header Parameter

Authorization

required

string

Set to Basic <base64 encoded "clientId:clientSecret">.

The client_id and client_secret are generated when you configure your OpenId Connect app in OneLogin.

e.g. Using Node.js this would be

new Buffer(`${client_id}:${client_secret}`).toString('base64');

Content-Type

required

string

application/x-www-form-urlencoded

Resource Parameter

region

required

string

Set to the region of your OneLogin instance.

  • openid-connect
  • openid-connect-eu
e.g. If your OneLogin instance is located in Europe then use https://openid-connect-eu.onelogin.com/oidc

Request Parameter

grant_type

required

string

Set to “password”

client_id

required

string

The OneLogin generated Client ID for your OpenID Connect app.

username

required

string

The username for a given user

password

required

string

The password for a given user

scope

required

string

Requires at least “openid”. Add “profile” and/or “email” to get additional user information returned in the id_token and User Info endpoint.

Sample Request Body

username=rich&password=password&client_id=ba88ac70-1234-0135-527a&grant_type=password&scope=openid

Sample Response

{
    "access_token": "NWE4Nzg2ZDEtNzQyMS00ZDViLThjMjctMGQwNjlmZjU5MWNkBGjFElT7CWzl0d....",
    "expires_in": 3600,
    "token_type": "Bearer",
    "refresh_token": "897987AGBEtNzQyMS00ZDViLThjMjctMGQwNjlmZjU5MWNkBGjFElT7CWzl0d...."
}

Probably an invalid client_id

{
    "error": "invalid_request",
    "error_description": "Resource not found"
}

The grant_type MUST be set to password

{
    "error": "unsupported_grant_type",
    "error_description": "unsupported grant_type requested (xxxx)"
}

The authorization header is invalid

{
    "error": "invalid_request",
    "error_description": "invalid authorization header value format"
}
{
    "error": "invalid_request",
    "error_description": "Authentication Failed"
}
{
    "error": "invalid_request",
    "error_description": "Authentication Failed: Invalid user credentials"
}
{
    "error": "invalid_request",
    "error_description": "MFA is required for this user"
}
{
    "error": "invalid_request",
    "error_description": "User is locked. Access is unauthorized"
}
{
    "error": "invalid_request",
    "error_description": "User is suspended. Access is unauthorized"
}
{
    "error": "invalid_request",
    "error_description": "Password expired"
}
{
    "error": "invalid_request",
    "error_description": "Access is unauthorized"
}

Response Elements

access_token The token that represents the session that has just been created for the user.
expires_in The number of seconds until the session expires. This timeout can be configured by setting the Access Token Timeout period in your OpenId Connect app via the OneLogin portal.
token_type The type of access token. Always set to “Bearer”
refresh_token Only returned if a Refresh Token Timeout period has specified in your OpenId Connect app settings via the OneLogin portal.
refreshToken

DEPRECATED

This field will be removed in December 2018. Use refresh_token instead.

Sample Code

cURL

Replace sample values indicated by < > with your actual values.

curl -XPOST "https://<region>.onelogin.com/oidc/token" \
-H "Authorization: Basic <base64 encoded client_id:client_secret>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=password&username=<username>&password=<password>&client_id=<client_id>&scope=openid"


Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.

StackOverflow discussions about "[onelogin] openid connect"

  • 5
    Votes
    1
    Answers

    Q: How to use onelogin SSO with AngularJS?

    Asked Jun 20 2016

    questions: 1> Onelogin is using SAML instead of OpenID Connect. I am not asking what's the difference between these two, but what is recommended since everyone is moving towards OpenID Connect? 2> Does Onelogin supports AngularJS? I don't see any documentation for onelogin API with AngularJS & Node See Here … I was looking into Onelogin for SSO. We have applications written in .NET, AngularJS + Node. None of these applications are mobile applications. After going through their documentation I have few …

  • 4
    Votes

    A: SAML for Native Mobile Apps(Android and IOS)

    Answered Apr 02 2018

    session you've established with an SSO provider) between native apps that also support SAML the same way. https://spin.atomicobject.com/2016/09/01/sharing-web-data-wkwebview/ Basically, if you do this, you'll also be supporting SSO on mobile via SAML (or OpenID Connect, if you go that route) …

  • 3
    Votes

    A: Does OneLogin support client session management via OIDC?

    Answered Nov 16 2018

    https://openid.net/specs/openid-connect-session-1_0.html: 2.1. OpenID Provider Discovery Metadata These OpenID Provider Metadata parameters MUST be included in the Server's discovery … responses when Session Management and Discovery are supported: check_session_iframe ... end_session_endpoint ... I don't see these metadata parameters in the OneLogin discovery metadata, so it looks like Session Management is not supported. …

  • 2
    Votes

    A: How to Validate an Access Token for OAuth2 + PCKE flow

    Answered Apr 25 2019

    returned from the auth code flow https://developers.onelogin.com/openid-connect/api/authorization-code-grant worked, and the access_token only returned {"active":false} after it expired. Make sure you are not setting the Authorization header, and only set your client_id in the payload. … I'm using OIDC with PKCE, and I managed to call the https://openid-connect.onelogin.com/oidc/token/introspection endpoint with a token retrieved via the authorization code flow: $ curl -i -d "token …

  • 1
    Votes

    A: XMLHttpRequest has been blocked by CORS policy - https://openid-connect-eu.onelogin.com/oidc/token

    Answered May 23 2019

    , which is documented here: https://developers.onelogin.com/openid-connect/api/id-token OneLogin also has sample code for this: https://github.com/onelogin/onelogin-oidc-node/tree/master/2.%20Implicit%20Flow … Javascript prevents POST calls to other domains at the browser level unless they are expressly permitted by the service (and OneLogin doesn't permit this, for security reasons) I'll add that doing …

Loading...