Olympus Docs
ReferenceGrants

Resource Owner Password Credentials

Client collected the user's password and POSTed directly to the token endpoint. The user's password is in your app, defeats the point of OAuth2 delegation.

Resource Owner Password Credentials

Spec: RFC 6749 §4.3 (deprecated)

Supported in Olympus: No (deprecated; do not use)

When to use

Never. Removed in OAuth 2.1. Use Authorization Code instead.

How it works

Client collected the user's password and POSTed directly to the token endpoint. The user's password is in your app, defeats the point of OAuth2 delegation.

Why not

This grant is deprecated and removed in OAuth 2.1. Olympus rejects it. The replacement is Authorization Code + PKCE.

Implicit

Returned tokens directly in the authorization URL fragment. Insecure (token in URL, browser history, referrer).

MFA methods

Multi-factor authentication methods supported by Olympus

On this page

Resource Owner Password CredentialsWhen to useHow it worksWhy notRelated