A public client using the resource owner password and username directly.
The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application. The authorization server should take special care when enabling this grant type, and only allow it when other flows are not viable.
The grant type is suitable for clients capable of obtaining the resource owner’s credentials (username and password, typically using an interactive form). It is also used to migrate existing clients using direct authentication schemes such as HTTP Basic or Digest authentication to OAuth by converting the stored credentials to an access token.
The method through which the client obtains the resource owner credentials is beyond the scope of this specification. The client MUST discard the credentials once an access token has been obtained.
prepare_request_body(username, password, body='', scope=None, include_client_id=False, **kwargs)¶
Add the resource owner password and username to the request body.
The client makes a request to the token endpoint by adding the following parameters using the “application/x-www-form-urlencoded” format per Appendix B in the HTTP request entity-body:
- username – The resource owner username.
- password – The resource owner password.
- body – Existing request body (URL encoded string) to embed parameters into. This may contain extra paramters. Default ‘’.
- scope – The scope of the access request as described by Section 3.3.
- include_client_id (Boolean) – True to send the client_id in the body of the upstream request. This is required if the client is not authenticating with the authorization server as described in Section 3.2.1. False otherwise (default).
- kwargs – Extra credentials to include in the token request.
If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in Section 3.2.1.
The prepared body will include all provided credentials as well as the
grant_typeparameter set to
>>> from oauthlib.oauth2 import LegacyApplicationClient >>> client = LegacyApplicationClient('your_id') >>> client.prepare_request_body(username='foo', password='bar', scope=['hello', 'world']) 'grant_type=password&username=foo&scope=hello+world&password=bar'