cancel
Showing results for 
Search instead for 
Did you mean: 

Custom Connector - Generic OAuth 2.0 Password Grant Authentication

OAuth 2.0 Resource Owner Password Credentials (ROPC), also known in Postman as the 'Password Credentials' OAuth 2.0 Grant Type.

See here for more information: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

The current allowed method from the Generic OAuth 2.0 - Generic Oauth 2 Identity Provider only allows for: Client id & Client secret.

This does not grant access to OAuth 2.0 APIs that use a 'Password Credentials' method, using 'Username' and 'Password'

This is a necessary feature addition to Custom Connectors enable developers to use API authentication that have expiration on their bearer tokens, and can only be logged in via Username and Password.

 

Original Thread:

https://powerusers.microsoft.com/t5/Building-Power-Apps/OAuth-2-0-Resource-Owner-Password-Credential...

Status: New
Comments
New Member

These are the directions that I was given to call a REST API, but believe that I cannot complete it, because of this inability to use the grant_type.

 

--- REST API Instructions ---

To make a REST API call, you must include request headers including the Authorization header with an OAuth 2.0 access token. To get an access token, pass the [ApiClientKey]:[ApiClientSecret] credentials to the Authorization Server in base64 format in the Authorization header in a get access token request.
To make a REST API call, you must include request headers including the Authorization header with an OAuth 2.0 access token.

 

Sample Code:

POST /auth/token HTTP/1.1
Host: restapi.companyxyz.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic [user.secret in base64 format]
Cache-Control: no-cache

grant_type=client_credentials

 

Using the access token provided in the authorization response, the API client can now access the REST API on behalf of the authorizing user as follows:

  • Use a header in the format Authorization: Bearer [token].
  • Your application should check for 403 errors in case the user has revoked application access or the token has expired.