Resource Owner Password Flow



The ROPG flow has been omitted in OAuth 2.1 specification. It is no longer recommended. Please refer to the authorization code flow with PKCE



  1. Setup the OAuth2 client custom application and select auth method as "Resource Owner"

  2. Create a confidential client

The Resource owner password grant is used for non-interactive user flow where the client passes the resource owner's username and password along with the user's username and password.

This guide describes how ROPG flow can be integrated with CyberArk Identity.

How does it work?


In this flow,

  • The client application (or relying party) requests access tokens from CyberArk Identity by passing resource owner credentials along with user credentials.
  • CyberArk Identity authenticates the client and returns the access token.
  • The client application uses the access token to request protected resources.

Integrate CyberArk Identity's resource owner flow

The first API that is invoked is /token/. The header is set to Authorization Basic and is followed by a Base64-encoded string constructed from the client ID and secret separated by a ":" character:

Header: Authorization Basic <Client ID:Client Secret (Base64 encoded)>

The body of the request specifies a grant_type of password, and optionally, a scope:

POST https://<yourtenant>/oauth2/token/<your app ID>
	"scope":"<OAuth Custom Scope(s)>",

The response contains an access_token for use in subsequent API calls, as well as information about the token's expiration time, the scope for which access was granted, and the type of token issued:

	access_token = "abc1234asdf9823...",

The token can then be used in subsequent API calls by including it in the Authorization header along with the type of token. For example:

Header: Authorization Bearer abc1234asdf9823...



Integrate ROPG flow using CyberArk Identity SDKs