Resource Owner Password Grant
Deprecation Notice
There is a more recent version of this OpenId Connect API available. Learn more.
This endpoint will be removed from service on April 20th 2021.
Use this API to authenticate a given user’s username and password. It makes use of the OpenID password grant and upon success will create a session and return an access token.
Note that the access token returned is different to the access token generated via the OAuth 2.0 Tokens API. Therefore it can not be used to authorize API calls against other endpoints such as Users or Events.
Resource URL
https://<region>.onelogin.com/oidc/token
Header Parameter
Authorization required string | Set to The e.g. Using Node.js this would be
|
Content-Type required string | application/x-www-form-urlencoded |
Resource Parameter
region required string |
Set to the
https://openid-connect-eu.onelogin.com/oidc
|
Request Parameter
grant_type required string |
Set to “password” |
client_id required string |
The OneLogin generated Client ID for your OpenID Connect app. |
username required string |
The username for a given user |
password required string |
The password for a given user |
scope required string |
Requires at least “openid”. Add “profile” and/or “email” to get additional user information returned in the |
Sample Request Body
username=rich&password=password&client_id=ba88ac70-1234-0135-527a&grant_type=password&scope=openid
Sample Response
- 200 OK
- 400 Bad Request
- 401 Unauthorized
{
"access_token": "NWE4Nzg2ZDEtNzQyMS00ZDViLThjMjctMGQwNjlmZjU5MWNkBGjFElT7CWzl0d....",
"expires_in": 3600,
"token_type": "Bearer",
"refresh_token": "897987AGBEtNzQyMS00ZDViLThjMjctMGQwNjlmZjU5MWNkBGjFElT7CWzl0d...."
}
Probably an invalid client_id
{
"error": "invalid_request",
"error_description": "Resource not found"
}
The grant_type
MUST be set to password
{
"error": "unsupported_grant_type",
"error_description": "unsupported grant_type requested (xxxx)"
}
The authorization header is invalid
{
"error": "invalid_request",
"error_description": "invalid authorization header value format"
}
{
"error": "invalid_request",
"error_description": "Authentication Failed"
}
{
"error": "invalid_request",
"error_description": "Authentication Failed: Invalid user credentials"
}
{
"error": "invalid_request",
"error_description": "MFA is required for this user"
}
{
"error": "invalid_request",
"error_description": "User is locked. Access is unauthorized"
}
{
"error": "invalid_request",
"error_description": "User is suspended. Access is unauthorized"
}
{
"error": "invalid_request",
"error_description": "Password expired"
}
{
"error": "invalid_request",
"error_description": "Access is unauthorized"
}
Response Elements
access_token |
The token that represents the session that has just been created for the user. |
expires_in |
The number of seconds until the session expires. This timeout can be configured by setting the Access Token Timeout period in your OpenId Connect app via the OneLogin portal. |
token_type |
The type of access token. Always set to “Bearer” |
refresh_token |
Only returned if a Refresh Token Timeout period has specified in your OpenId Connect app settings via the OneLogin portal. |
refreshToken
DEPRECATED |
This field will be removed in December 2018. Use refresh_token instead. |
Sample Code
cURL
Replace sample values indicated by < >
with your actual values.
curl -XPOST "https://<region>.onelogin.com/oidc/token" \
-H "Authorization: Basic <base64 encoded client_id:client_secret>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=password&username=<username>&password=<password>&client_id=<client_id>&scope=openid"
Postman Collection
Replace sample variables indicated by {{ }}
with your actual values.
Download for the OpenId Connect API
Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.
StackOverflow discussions about "[onelogin] openid connect"
-
A: SAML for Native Mobile Apps(Android and IOS)
Answered Apr 02 2018https://spin.atomicobject.com/2016/09/01/sharing-web-data-wkwebview/ Basically, if you do this, you'll also be supporting SSO on mobile via SAML (or OpenID Connect, if you go that route) …
-
Q: How to use onelogin SSO with AngularJS?
Asked Jun 20 2016After going through their documentation I have few questions: 1> Onelogin is using SAML instead of OpenID Connect. … I am not asking what's the difference between these two, but what is recommended since everyone is moving towards OpenID Connect? 2> Does Onelogin supports AngularJS? …
-
A: Does OneLogin support client session management via OIDC?
Answered Nov 16 2018https://openid.net/specs/openid-connect-session-1_0.html: 2.1. … I don't see these metadata parameters in the OneLogin discovery metadata, so it looks like Session Management is not supported. …
-
A: How to Validate an Access Token for OAuth2 + PCKE flow
Answered Apr 25 2019,"iss":"https://openid-connect.onelogin.com/oidc","jti":"..." … ,"scope":"openid profile email"} Both the access_token and refresh_token returned from the auth code flow https://developers.onelogin.com/openid-connect/api/authorization-code-grant worked, and the access_token …
-
Q: Python/Django library for registering multiple SSO Identity Providers(OpenID Connect)
Asked Nov 08 2019I'm working on a project written in Python(Django) and i recently added an SSO option for logging in with OneLogin accounts. There's already support for Microsofts Azure SSO from an earlier feature. … I'm looking for a library which can somehow register different identity providers(Microsoft, OneLogin, Facebook, etc...) and then wrap the similar login logic into a single class, which would handle all …

Loading...