HI,
I am trying to make an API call through postman for generating access token with grant type "password", but getting error "{"ErrorCode" : "invalid_client", "Error" :"Client identifier is required"}", even I am passing username and password in body section and client_id and secret in request header.
<Flow name="Generate Access Token Password">
<Description>flow for generating access token using password grant type</Description>
<Request>
<Step>
<Name>OAuth_V2_Generate_Access_Token_Password</Name>
<Condition>(proxy.pathsuffix MatchesPath "/access_token_password") and (request.verb = "POST")</Condition>
</Step>
</Request>
<Response/>
</Flow>
Below is the Oauth policy I am using,
<Operation>GenerateAccessToken</Operation>
<SupportedGrantTypes>
<GrantType>password</GrantType>
</SupportedGrantTypes>
<GrantType>
<UserName>username</UserName>
<PassWord>password</PassWord>
</GrantType>
<GenerateResponse enabled="true"/>
Several things that jump out at me:
My configuration looks like this:
<OAuthV2 name='OAuthV2-Generate-token-password'>
<Operation>GenerateAccessToken</Operation>
<SupportedGrantTypes>
<GrantType>password</GrantType>
</SupportedGrantTypes>
<!-- 2400000 = 40 minutes -->
<ExpiresIn ref='flow.variable'>2400000</ExpiresIn>
<!-- 691200000 = 8 days -->
<RefreshTokenExpiresIn>691200000</RefreshTokenExpiresIn>
<!-- name of CONTEXT VARIABLE that specifies the requested grant type -->
<GrantType>request.formparam.grant_type</GrantType>
<!-- names of CONTEXT VARIABLES that specify username and password -->
<UserName>request.formparam.username</UserName>
<PassWord>request.formparam.password</PassWord>
<GenerateResponse enabled='true'/>
<RFCCompliantRequestResponse>true</RFCCompliantRequestResponse>
</OAuthV2>
And when I invoke with curl like this, it works:
curl -X POST -i $endpoint/oauth2-pg/token \
-d grant_type=password -d username=someone -d password=12345 \
-u $client_id:$client_secret
Some notes:
While you are referring to dino's detailed reply to get it resolved.. Just FYI and Because the Resource Owner Password (ROP) Flow involves the application handling the user's password, it must not be used by third-party clients & is mostly used in cases where the app is highly trusted..
https://cloud.google.com/apigee/docs/api-platform/security/oauth/implementing-password-grant-type
General thought why not use different options for the use case (if possible) as password grant will be omitted in newer oauth 2.1 spec (its not yet published) but that's the future..
fyi: