cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
RyanW7

Custom Connector - Generic OAuth 2.0 Password Grant Authentication

Submitted by Advocate II on ‎03-06-2020 04:31 AM

OAuth 2.0 Resource Owner Password Credentials (ROPC), also known in Postman as the 'Password Credentials' OAuth 2.0 Grant Type.

See here for more information: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

The current allowed method from the Generic OAuth 2.0 - Generic Oauth 2 Identity Provider only allows for: Client id & Client secret.

This does not grant access to OAuth 2.0 APIs that use a 'Password Credentials' method, using 'Username' and 'Password'

This is a necessary feature addition to Custom Connectors enable developers to use API authentication that have expiration on their bearer tokens, and can only be logged in via Username and Password.

 

Original Thread:

https://powerusers.microsoft.com/t5/Building-Power-Apps/OAuth-2-0-Resource-Owner-Password-Credential...

Status: New
2 Comments (2 New)
Comments
ClarkSteveB
New Member
‎03-29-2020 04:43 AM

These are the directions that I was given to call a REST API, but believe that I cannot complete it, because of this inability to use the grant_type.

 

--- REST API Instructions ---

To make a REST API call, you must include request headers including the Authorization header with an OAuth 2.0 access token. To get an access token, pass the [ApiClientKey]:[ApiClientSecret] credentials to the Authorization Server in base64 format in the Authorization header in a get access token request.
To make a REST API call, you must include request headers including the Authorization header with an OAuth 2.0 access token.

 

Sample Code:

POST /auth/token HTTP/1.1
Host: restapi.companyxyz.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic [user.secret in base64 format]
Cache-Control: no-cache

grant_type=client_credentials

 

Using the access token provided in the authorization response, the API client can now access the REST API on behalf of the authorizing user as follows:

  • Use a header in the format Authorization: Bearer [token].
  • Your application should check for 403 errors in case the user has revoked application access or the token has expired.
pdoyle
New Member
‎10-18-2021 08:40 AM

Please implement this.  The password grant type is officially defined in the Oauth2.0 spec:  https://datatracker.ietf.org/doc/html/rfc6749#section-4.3

 

There are workarounds that may work for a proof of concept but not a production app.  We are currently looking to integrate with a vendor's API that only supports the password grant type and at this point are going to have to setup a proxy of some kind to handle the authentication between the custom connector and the vendor's API.