Resource Owner Password Credentials (ROPC)

Use the OAuth 2.0 ROPC grant for highly trusted applications where the user enters their credentials directly into the client and the client can safely handle confidential credentials. Authorization Code + PKCE is preferred for public clients.

Key points

Audience: Confidential clients owned by the same organization as the authorization server
Sensitive: App directly handles end‑user credentials
MFA: Some tenants may require MFA; see MFA endpoints below

Next steps

Obtain your OAuth Client ID/Secret from OAuth Application
Implement Get Token
If MFA is required, continue with MFA Verify or MFA Bind