Can you explain the specific development steps required to generate tokens based on the password pattern?

Four authorization modes:

  • Password mode (Resource owner Password Credentials)

  • Client mode (client_credenruals)

  • Authorization Code mode (authorization_code)

  • Simplified patterns (Implicit)

Resource owner password credentials:

In this mode, the user must give his password to the client, but the client cannot store the password. This is usually used when the user has a high degree of trust in the client, such as when the client is part of the operating system or is produced by a well-known company. Authentication servers can only consider using this mode if other authorization modes cannot be implemented.

(A) The user sends parameters username and password to the client to obtain the token.

(B) Authorize the server to verify the credentials submitted by the client.

  • The following are the required POST arguments:

Grant_type (specifies the authorization type. The value is password, which is mandatory.)

Scope (indicates the scope of permission, such as WebClient, mobileclient optional)

Client_id (value returned at registration)

Client_secret (value returned at registration)

Username (The encoding format is UTF-8, mandatory)

Password (Indicates the user password. The encoding format is UTF-8. Mandatory)

(C) The authorization server returns the application/ JSON response to the client containing the following acceptToken.

  • Password mode Resource Owner Password acceptToken of the credentials

Access_token (Access token for user access API for resource access

The Key (Value)

  • AcceptToken of authorization code mode authorization_code

The response parameters are as follows:

Access_token (access token for user access API, for resource access)

Refresh_token (use this token to retrieve the access token when the access token expires)

Token_type (token type, here Bearer of HTTP based authentication)

Expire_in (Expiration time)

If the access token has only a short lifetime, it is important that the client have a way to refresh the access token.

(D) Return login success