The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application. The authorization server should take special care when enabling this grant type and only allow it when other flows are not viable.
There's only one step in this process:
After this step, the client owns a Token
that can be used to authorize any subsequent
request.
makeTokenRequest : (Result Http.Error AuthenticationSuccess -> msg) -> Authentication -> RequestParts msg
Builds the request components required to get a token in exchange of the resource owner (user) credentials
let req : Http.Request TokenResponse
req = makeTokenRequest toMsg authentication |> Http.request
{ credentials : Maybe Credentials
, url : Url
, scope : List String
, username : String
, password : String
}
Request configuration for a Password authentication
credentials
(RECOMMENDED):
Credentials needed for Basic
authentication, if needed by the
authorization server.
url
(REQUIRED):
The token endpoint to contact the authorization server.
scope
(OPTIONAL):
The scope of the access request.
password
(REQUIRED):
Resource owner's password
username
(REQUIRED):
Resource owner's username
{ clientId : String
, secret : String
}
Describes at least a clientId
and if defined, a complete set of credentials
with the secret
. Optional but may be required by the authorization server you
interact with to perform a 'Basic' authentication on top of the authentication request.
{ clientId = "<my-client-id>"
, secret = "<my-client-secret>"
}
{ token : OAuth.Token
, refreshToken : Maybe OAuth.Token
, expiresIn : Maybe Basics.Int
, scope : List String
}
The response obtained as a result of an authentication:
token
(REQUIRED):
The access token issued by the authorization server.
refreshToken
(OPTIONAL):
The refresh token, which can be used to obtain new access tokens using the same authorization
grant as described in Section 6.
expiresIn
(RECOMMENDED):
The lifetime in seconds of the access token. For example, the value "3600" denotes that the
access token will expire in one hour from the time the response was generated. If omitted, the
authorization server SHOULD provide the expiration time via other means or document the default
value.
scope
(OPTIONAL, if identical to the scope requested; otherwise, REQUIRED):
The scope of the access token as described by Section 3.3.
{ error : OAuth.ErrorCode
, errorDescription : Maybe String
, errorUri : Maybe String
}
Describes an OAuth error as a result of a request failure
error
(REQUIRED):
A single ASCII error code.
errorDescription
(OPTIONAL)
Human-readable ASCII text providing additional information, used to assist the client developer in
understanding the error that occurred. Values for the errorDescription
parameter MUST NOT
include characters outside the set %x20-21 / %x23-5B / %x5D-7E
.
errorUri
(OPTIONAL):
A URI identifying a human-readable web page with information about the error, used to
provide the client developer with additional information about the error. Values for the
errorUri
parameter MUST conform to the URI-reference syntax and thus MUST NOT include
characters outside the set %x21 / %x23-5B / %x5D-7E
.
{ method : String
, headers : List Http.Header
, url : String
, body : Http.Body
, expect : Http.Expect a
, timeout : Maybe Basics.Float
, tracker : Maybe String
}
Parts required to build a request. This record is given to Http.request
in order
to create a new request and may be adjusted at will.
defaultAuthenticationSuccessDecoder : Json.Decode.Decoder AuthenticationSuccess
Json decoder for a positive response. You may provide a custom response decoder using other decoders from this module, or some of your own craft.
defaultAuthenticationSuccessDecoder : Decoder AuthenticationSuccess
defaultAuthenticationSuccessDecoder =
D.map4 AuthenticationSuccess
tokenDecoder
refreshTokenDecoder
expiresInDecoder
scopeDecoder
defaultAuthenticationErrorDecoder : Json.Decode.Decoder AuthenticationError
Json decoder for an errored response.
case res of
Err (Http.BadStatus { body }) ->
case Json.decodeString OAuth.Password.defaultAuthenticationErrorDecoder body of
Ok { error, errorDescription } ->
doSomething
_ ->
parserFailed
_ ->
someOtherError
makeTokenRequestWith : OAuth.GrantType -> Json.Decode.Decoder success -> Dict String String -> (Result Http.Error success -> msg) -> Authentication -> RequestParts msg
Like makeTokenRequest
, but gives you the ability to specify custom grant
type and extra fields to be set on the query.
makeTokenRequest : (Result Http.Error AuthenticationSuccess -> msg) -> Authentication -> RequestParts msg
makeTokenRequest =
makeTokenRequestWith Password defaultAuthenticationSuccessDecoder Dict.empty
defaultExpiresInDecoder : Json.Decode.Decoder (Maybe Basics.Int)
Json decoder for the expiresIn
field.
defaultScopeDecoder : Json.Decode.Decoder (List String)
Json decoder for the scope
field (space-separated).
lenientScopeDecoder : Json.Decode.Decoder (List String)
Json decoder for the scope
field (comma- or space-separated).
defaultTokenDecoder : Json.Decode.Decoder OAuth.Token
Json decoder for the access_token
field.
defaultRefreshTokenDecoder : Json.Decode.Decoder (Maybe OAuth.Token)
Json decoder for the refresh_token
field.
defaultErrorDecoder : Json.Decode.Decoder OAuth.ErrorCode
Json decoder for the error
field.
defaultErrorDescriptionDecoder : Json.Decode.Decoder (Maybe String)
Json decoder for the error_description
field.
defaultErrorUriDecoder : Json.Decode.Decoder (Maybe String)
Json decoder for the error_uri
field.