> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-actions-triggers-prototype.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how the OIDC-conformant pipeline affects the Resource Owner Password (ROP) Flow.

# Resource Owner Password Flow with OIDC

export const AuthCodeBlock = ({filename, icon, language, highlight, children}) => {
  const [displayText, setDisplayText] = useState(children);
  const [copyText, setCopyText] = useState(children);
  const wrapperRef = React.useRef(null);
  useEffect(() => {
    let unsubscribe = null;
    function init() {
      if (!window.autorun || !window.rootStore) {
        return;
      }
      unsubscribe = window.autorun(() => {
        let processedChildrenForDisplay = children;
        let processedChildrenForCopy = children;
        for (const [key, value] of window.rootStore.variableStore.values.entries()) {
          const escapedKey = key.replaceAll(/[.*+?^${}()|[\]\\]/g, (String.raw)`\$&`);
          let displayValue = value;
          if (key === "{yourClientSecret}" && value !== "{yourClientSecret}") {
            displayValue = value.substring(0, 3) + "*****MASKED*****";
          }
          processedChildrenForDisplay = processedChildrenForDisplay.replaceAll(new RegExp(escapedKey, "g"), displayValue);
          processedChildrenForCopy = processedChildrenForCopy.replaceAll(new RegExp(escapedKey, "g"), value);
        }
        setDisplayText(processedChildrenForDisplay);
        setCopyText(processedChildrenForCopy);
      });
    }
    if (window.rootStore) {
      init();
    } else {
      window.addEventListener("adu:storeReady", init);
    }
    return () => {
      window.removeEventListener("adu:storeReady", init);
      unsubscribe?.();
    };
  }, [children]);
  useEffect(() => {
    if (!wrapperRef.current) return;
    const originalWriteText = navigator.clipboard.writeText.bind(navigator.clipboard);
    let isOverriding = false;
    const handleClick = e => {
      const button = e.target.closest('[data-testid="copy-code-button"]');
      if (!button || !wrapperRef.current.contains(button)) return;
      isOverriding = true;
      navigator.clipboard.writeText = text => {
        if (isOverriding) {
          isOverriding = false;
          navigator.clipboard.writeText = originalWriteText;
          return originalWriteText(copyText);
        }
        return originalWriteText(text);
      };
      setTimeout(() => {
        if (isOverriding) {
          isOverriding = false;
          navigator.clipboard.writeText = originalWriteText;
        }
      }, 100);
    };
    const wrapper = wrapperRef.current;
    wrapper.addEventListener('click', handleClick, true);
    return () => {
      wrapper.removeEventListener('click', handleClick, true);
      if (navigator.clipboard.writeText !== originalWriteText) {
        navigator.clipboard.writeText = originalWriteText;
      }
    };
  }, [copyText]);
  return <div ref={wrapperRef}>
      <CodeBlock filename={filename} icon={icon} language={language} lines highlight={highlight}>
        {displayText}
      </CodeBlock>
    </div>;
};

The [Resource Owner Password Flow](/docs/get-started/authentication-and-authorization-flow/resource-owner-password-flow) (sometimes called <Tooltip tip="Resource Owner: Entity (such as a user or application) capable of granting access to a protected resource." cta="View Glossary" href="/docs/glossary?term=Resource+Owner">Resource Owner</Tooltip> Password Grant or ROPG) is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.

The OIDC-conformant pipeline affects the Resource Owner Password Flow in the following areas:

* Authentication request
* Authentication response
* <Tooltip tip="ID Token: Credential meant for the client itself, rather than for accessing a resource." cta="View Glossary" href="/docs/glossary?term=ID+token">ID token</Tooltip> structure
* <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=Access+token">Access token</Tooltip> structure

## Authentication request

### Legacy

```json lines theme={null}
POST /oauth/ro HTTP 1.1
Content-Type: application/json
{
  "grant_type": "password",
  "client_id": "123",
  "username": "alice",
  "password": "A3ddj3w",
  "connection": "my-database-connection",
  "scope": "openid email favorite_color offline_access",
  "device": "my-device-name"
}
```

The `device` parameter is only needed if requesting a <Tooltip tip="Refresh Token: Token used to obtain a renewed Access Token without forcing users to log in again." cta="View Glossary" href="/docs/glossary?term=refresh+token">refresh token</Tooltip> by passing the `offline_access` scope.

### OIDC-conformant

```json lines theme={null}
POST /oauth/token HTTP 1.1
Content-Type: application/x-www-form-urlencoded
grant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com
```

* The endpoint to execute credential exchanges is `/oauth/token`.
* Auth0's own grant type is used to authenticate users from a specific connection (`realm`). The standard OIDC password grant is also supported, but it does not accept Auth0-specific parameters such as `realm`.
* `favorite_color` is no longer a valid scope.
* The `device` parameter is removed.
* The `audience` parameter is optional.

## Authentication response

### Legacy

```json lines theme={null}
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
    "access_token": "SlAV32hkKG",
    "token_type": "Bearer",
    "refresh_token": "8xLOxBtZp8",
    "expires_in": 3600,
    "id_token": "eyJ..."
}
```

* The returned access token is only valid for calling the [`/userinfo`](https://auth0.com/docs/api/authentication#get-user-info) endpoint.
* A Refresh Token will be returned only if a `device` parameter was passed and the `offline_access` scope was requested.

### OIDC-conformant

```json lines theme={null}
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
    "access_token": "eyJ...",
    "token_type": "Bearer",
    "refresh_token": "8xLOxBtZp8",
    "expires_in": 3600,
    "id_token": "eyJ..."
}
```

* The returned access token is valid for calling the `/userinfo` endpoint (provided that the API specified by the `audience` param uses `RS256` as [signing algorithm](/docs/get-started/applications/signing-algorithms)) and optionally the <Tooltip tip="Resource Server: Server hosting protected resources. Resource servers accept and respond to protected resource requests." cta="View Glossary" href="/docs/glossary?term=resource+server">resource server</Tooltip> specified by the `audience` parameter.
* The ID token will be forcibly signed using `RS256` if requested by a public application. To learn more, read [Confidential and Public Applications](/docs/get-started/applications/confidential-and-public-applications).
* A refresh token will be returned only if the `offline_access` scope was granted.

## ID Token structure

### Legacy

export const codeExample1 = `{
    "sub": "auth0|alice",
    "iss": "https://{yourDomain}/",
    "aud": "123",
    "exp": 1482809609,
    "iat": 1482773609,
    "email": "alice@example.com",
    "email_verified": true,
    "favorite_color": "blue"
}`;

<AuthCodeBlock children={codeExample1} language="json" filename="JSON" />

### OIDC-conformant

export const codeExample2 = `{
    "sub": "auth0|alice",
    "iss": "https://{yourDomain}/",
    "aud": "123",
    "exp": 1482809609,
    "iat": 1482773609,
    "email": "alice@example.com",
    "email_verified": true,
    "https://app.example.com/favorite_color": "blue"
}`;

<AuthCodeBlock children={codeExample2} language="json" filename="JSON" />

* The ID token will be forcibly signed using `RS256` if requested by a public application.
* The `favorite_color` claim must be namespaced and added through a rule. To learn more, read [Create Namespaced Custom Claims](/docs/secure/tokens/json-web-tokens/create-custom-claims).

## Access Token structure (optional)

### Legacy

```json JSON lines theme={null}
SlAV32hkKG
```

The returned Access token is opaque and only valid for calling the `/userinfo` endpoint.

### OIDC-conformant

export const codeExample3 = `{
    "sub": "auth0|alice",
    "iss": "https://{yourDomain}/",
    "aud": [
        "https://api.example.com",
        "https://{yourDomain}/userinfo"
    ],
    "azp": "123",
    "exp": 1482816809,
    "iat": 1482809609,
    "scope": "openid email"
}`;

<AuthCodeBlock children={codeExample3} language="json" filename="JSON" />

* The returned access token is a <Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=JWT">JWT</Tooltip> valid for calling the `/userinfo` endpoin (provided that the API specified by the `audience` parameter uses `RS256` as <Tooltip tip="Signing Algorithm: Algorithm used to digitally sign tokens to ensure the token has not been tampered with." cta="View Glossary" href="/docs/glossary?term=signing+algorithm">signing algorithm</Tooltip>) as well as the resource server specified by the `audience` parameter.
* Note that an opaque access token could still be returned if `/userinfo` is the only specified <Tooltip tip="Audience: Unique identifier of the audience for an issued token. Named aud in a token, its value contains the ID of either an application (Client ID) for an ID Token or an API (API Identifier) for an Access Token." cta="View Glossary" href="/docs/glossary?term=audience">audience</Tooltip>.

## Standard password grant requests

The Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific `realm` parameter. The [standard OIDC flow is also supported](/docs/get-started/authentication-and-authorization-flow/resource-owner-password-flow) when using OIDC authentication.

## Learn more

* [Access Tokens with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-access-tokens)
* [External APIs with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-apis)
* [Authorization Code Flow with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-auth-code-flow)
* [Client Credentials Flow with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-client-credentials-flow)
* [Implicit Flow with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-implicit-flow)
* [Refresh Tokens with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-refresh-tokens)