The password grant is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to a login page. It authenticates users with a single request, exchanging their password credentials for a token. This flow should only be used by trusted server-to-server applications.
You should use this flow only if all of the following apply:
- Using a redirect-based flow is not possible. If this is not the case and redirects are possible in your application, you should use implicit or authorization_code flow instead.
- The application is absolutely trusted with the user's credentials.
Note that this flow only works with direct log-on credentials and cannot be used for SSO login.
Password grant is being sunset
Beginning 6/18/21, Seismic has begun the process of sunsetting the password grant flow. The password grant type will no longer be available for newly created apps starting 6/18/21.
We recommend that trusted apps requiring server-to-server connections instead use the client credentials grant type, which is both more secure and prevents the need to update your app code when the users' password expires.
Existing apps already using the password grant flow will be able to continue using it after 6/18/21. Because authorization flows are linked to a client_id, the password grant type will continue to work as usual for:
- Apps using password flow that have not been edited to reflect a new client_id and are either already installed in a tenant or newly installed in a tenant (i.e. via the app distribution link)
- Apps that have been modified to reflect a new client_id but being used by a tenant that has not yet updated their app
However, if the app is updated to use a new grant type, it will not be permitted to revert back to the password grant flow. Similarly, if the app is updated such that it has a new client_id, it will need to choose a different grant type.