Use the resource owner password flow

The resource owner password grant (ROPG) is used for a non-interactive user flow where the client passes the resource owner's username and password.

This guide describes how the ROPG flow can be integrated with CyberArk Identity.

The ROPG flow has been omitted in the OAuth 2.1 specification. It is no longer recommended. See Integrate the authorization code flow with PKCE.

Before you begin

Set up the OAuth2 client custom application and select the auth method as Resource Owner.

How it works

In this flow:

  1. The client application (or relying party) requests access tokens from CyberArk Identity by passing resource owner credentials.

  2. CyberArk Identity authenticates the client and returns the access token.

  3. The client application uses the access token to request protected resources.

Integrate the CyberArk Identity resource owner flow

The first API that is invoked is /token/. The header is set to Authorization Basic and is followed by a Base64-encoded string constructed from the client ID and secret separated by a ":" character:

Header: Authorization Basic <Client ID:Client Secret (Base64 encoded)>

The body of the request specifies a grant_type of password, and optionally, a scope:

POST https://<yourtenant>/oauth2/token/<your app ID>

{

"scope":"<OAuth Custom Scope(s)>",

"grant_type":"password",

"user_name":"<username>",

"password":"<password>"

}

The response contains an access_token for use in subsequent API calls, as well as information about the token's expiration time, the scope for which access was granted, and the type of token issued:

Response

{

access_token = "abc1234asdf9823...",

expires_in=18000,

scope="myscope",

token_type="Bearer"

}

You can then use the token in subsequent API calls by including it in the Authorization header along with the type of token. For example:

https://<yourtenant>/cdirectoryservice/createuser
Header: Authorization Bearer abc1234asdf9823...
{
"Name":"John",
...
}