OAuth 2.0 Resource Owner Password Credentials (ROPC), also known in Postman as the 'Password Credentials' OAuth 2.0 Grant Type.
See here for more information: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
The current allowed method from the Generic OAuth 2.0 - Generic Oauth 2 Identity Provider only allows for: Client id & Client secret.
This does not grant access to OAuth 2.0 APIs that use a 'Password Credentials' method, using 'Username' and 'Password'
This is a necessary feature addition to Custom Connectors enable developers to use API authentication that have expiration on their bearer tokens, and can only be logged in via Username and Password.
These are the directions that I was given to call a REST API, but believe that I cannot complete it, because of this inability to use the grant_type.
--- REST API Instructions ---
To make a REST API call, you must include request headers including the Authorization header with an OAuth 2.0 access token. To get an access token, pass the [ApiClientKey]:[ApiClientSecret] credentials to the Authorization Server in base64 format in the Authorization header in a get access token request. To make a REST API call, you must include request headers including the Authorization header with an OAuth 2.0 access token.
POST /auth/token HTTP/1.1Host: restapi.companyxyz.comContent-Type: application/x-www-form-urlencodedAuthorization: Basic [user.secret in base64 format]Cache-Control: no-cache
Using the access token provided in the authorization response, the API client can now access the REST API on behalf of the authorizing user as follows:
Please implement this. The password grant type is officially defined in the Oauth2.0 spec: https://datatracker.ietf.org/doc/html/rfc6749#section-4.3
There are workarounds that may work for a proof of concept but not a production app. We are currently looking to integrate with a vendor's API that only supports the password grant type and at this point are going to have to setup a proxy of some kind to handle the authentication between the custom connector and the vendor's API.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.