API Description
Validate the user's username and password to obtain the Access Token and ID Token, thereby completing the login process. This interface corresponds to the Resource Owner Password Credentials mode of the OAuth 2.0 protocol.
Note
As the user's password will be transmitted between the user terminal and the application, it is imperative to invoke this interface with a highly trusted application and handle the password transmission appropriately (for instance, ensuring the use of the HTTPS protocol). Where conditions permit, it is recommended to prioritize using Authentication Portal Login.
Supported Application Types
Web Applications, Single-Page Applications, Mobile Apps.
Request method
POST
Request path
/oauth2/token
Request Content-Type
application/x-www-form-urlencoded
Sample Request
POST /oauth2/token HTTP/1.1Host: sample.portal.tencentciam.comContent-Type: application/x-www-form-urlencodedgrant_type=password&client_id=TENANT_CLIENT_ID&client_secret=TENANT_CLIENT_SECRET&auth_source_id=MOCK_USERNAME_PASSWORD_AUTH_SOURCE_ID&username=MOCK_USERNAME&password=MOCK_PASSWORD&scope=openid
Request Parameters
Category | Optional | Description |
grant_type | false | Enter the fixed value password. |
client_id | false | The application's client_id. Refer to Application Management Page > Select Specific Application > Click on Application Configuration > Corresponding "Client Id". |
client_secret | true | The application's client_secret. Refer to Application Management Page > Select Specific Application > Click on Application Configuration > Corresponding "client_secret".This parameter must be passed for Web Applications. This parameter is not transmitted for single-page applications and mobile apps. |
auth_source_id | false | Username-password authentication source ID. This can be viewed on the General Authentication Sources page in the console. |
username | false | Username. It is necessary to use the authentication source attributes configured with the username-password authentication source, such as username, phone number, or email address. |
password | false | User Password. |
scope | true | This can be omitted. If passed, fill in the fixed value openid. |
Example of a successful response
Authentication succeeded
HTTP/1.1 200 OKContent-Type: application/json;charset=UTF-8{"access_token" : "eyJraWQiOiI1MzQyOGU3ZS1kOTJiLTQ3OTAtOGIwMC0wMmEyZjc4NjUxNzMiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJNT0NLX1VTRVJfSUQiLCJhdWQiOiJURU5BTlRfQ0xJRU5UX0lEIiwibmJmIjoxNjQwNTg4ODI2LCJzY29wZSI6WyJvcGVuaWQiXSwiaXNzIjoiaHR0cHM6XC9cL3NhbXBsZS5wb3J0YWwudGVuY2VudGNpYW0uY29tIiwiZXhwIjoxNjQwNTg5MTI2LCJpYXQiOjE2NDA1ODg4MjYsImp0aSI6IjU0ODZhNWRhLTE0YTYtNDNkZC04MWNkLTEwNmRiMDVhMjJmZiJ9.cd2hoQEVZLGcRaqhDLs-W8m9IN2pDT4XzluxYz4ulNwHTfBTu_1NamlH0kmd0KDhzBMRAl6YXHVDVOXZEV47C1uoYDATnwQetUsg8eJObzlPEVZ81ovU-eRm7I0lQ_MVI9MC7jMcdOKvEDJCOJtnwtorkQpqEPYovrxctNvvClqLBsDVbUebC2-iUGwz4vWE-DL17M39rqtmwXv6C21ovv6Pe9BSUUAj_CzHSV-ZSF7fjyYjnlTEOLjilFNsFD9Ow1czNFqnwxkc7dwugOGJ7qM30zuTgSme76K3tLbol8fKO-CUKglZO9mWIXUWizhePTzd3CKGE4C7gUHR40EjNw","refresh_token" : "7uqTlthTQrzIZx8joT20chQbakZp81_iv39GTyCpsEyYpWoquNhuB3s6qEQHGeu2RBpaZcavFf9UOdgtUaCjB42D478MISnj6qBY52q3Pd5eNBBcXZ68oqMkFVidvgha","scope" : "openid","id_token" : "eyJraWQiOiI1MzQyOGU3ZS1kOTJiLTQ3OTAtOGIwMC0wMmEyZjc4NjUxNzMiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJNT0NLX1VTRVJfSUQiLCJhdWQiOiJURU5BTlRfQ0xJRU5UX0lEIiwiYXpwIjoiVEVOQU5UX0NMSUVOVF9JRCIsImlzcyI6Imh0dHBzOlwvXC9zYW1wbGUucG9ydGFsLnRlbmNlbnRjaWFtLmNvbSIsImV4cCI6MTY0MDU5MDYyNiwiaWF0IjoxNjQwNTg4ODI2LCJqdGkiOiI0Mzg0OTUwYS0zOTFlLTQ3MDgtYjFjYS05ZjVkNzQzN2Q3ZDIifQ.kaquINkB64dRAaXPG8KLBCpZ6hwNxtA5ruXpwYgEzFHppXQMqPRQQ-Iwn0659lpy8B2CqjRIar_A1xS518Uua3ItkUtoJQXcIxLDSGRatk6mZ6q7XgOHvALsLhQlYQjn36kXdnOJipPVB124y-o20UHwUC27nUH0e9GuYxwX3p56684NB4xJXUfEL2yl9Zt8rMEpD1I1hI5exg75ZP7MCSjzoNgr7fmpGuDNWWhRALh6sY4Dv5BSgE9B0No0xwFOLnAV4NMsvimJg5rBlJXepOhW4JfwZ3TnzXtDUk3oeajhRxPtjbkxt5NrSYMxUwBggkcoi4eOfVpo8crmQNrSVQ","token_type" : "Bearer","expires_in" : 299}
Response Parameters
Category | Data Type | Description |
access_token | String | OAuth 2.0 Access Token (JWT)。 |
token_type | String | Token type, currently, the returned fixed value is Bearer. |
expires_in | Number | Validity period of the Access Token, measured in seconds. |
scope | String | Access Token scope。 |
refresh_token | String | OAuth 2.0 Refresh Token。 |
id_token | String | OIDC ID Token (JWT)。 |
Exception response sample
Incorrect username or password.
HTTP/1.1 400 Bad RequestContent-Type: application/json;charset=UTF-8{"error" : "invalid_grant","error_description" : "Wrong username or password"}
The user status is abnormal (such as being locked or frozen).
HTTP/1.1 400 Bad RequestContent-Type: application/json;charset=UTF-8{"error" : "invalid_grant","error_description" : "Abnormal user status"}
An attribute unsupported by the authentication source is used as the username (for example, an email address is passed as the username, but the account-password authentication source has not configured the email address as an authentication source attribute).
HTTP/1.1 400 Bad RequestContent-Type: application/json;charset=UTF-8{"error" : "invalid_grant","error_description" : "Unsupported username identifier"}
The authentication source is neither the preferred nor the associated authentication source for the application.
HTTP/1.1 400 Bad RequestContent-Type: application/json;charset=UTF-8{"error" : "invalid_auth_source","error_description" : "Auth source and application not associated"}