Administrator Guide
Authorization Grant Types for OAuth
OAuth 2 provides several "grant types" for different use cases. W-ClearPass supports the following defined
grant types:
l Passwordā For logging in with a username and password
l Client credentialsā For application access
Resource Owner Password Grant Type
OAuth 2 also provides a password grant type, which can be used to exchange a username and password for an
access token directly. This is often compared with HTTP basic authentication because the same credentials are
being exchanged, but it has the same security benefits as the other OAuth2 grant types in expiring the access
token and the ability to refresh the access token without the need to cache or resubmit the user credentials.
Since this requires the application to natively collect the user's credentials, this grant type should only be used
for apps with a direct relationship (first party) with the authorization server. A real world example would be the
official mobile app for a social networking site versus allowing 3rd party developers to leverage APIs to develop
their own mobile experience for the social platform (they should be leveraging the Implicit flow).
The following diagram shows the transaction flow of password grant type.
Figure 414 Password Grant Type Transaction Flow
1. The user enters credentials directly into the appās native user interface. The app should not cache user
credentials under any circumstances.
2. The app submits the user credentials to the authorization server. Credentials include grant_
type=password, user, password, client_id, and client_secret. The client_secret is not
required if the OAuth2 app is defined as a public client.
3. The resource server returns the access token to use in subsequent API calls. This includes access_token,
expiry time, token_type=bearer, and refresh_token.
4. The app includes the access token in the HTTP Authorization header. This includes the Bearer access_
token.
Dell Networking W-ClearPass Guest 6.6 | User Guide Administration | 567