# Resource Owner Password Credentials (ROPC)
Unlike other flows, this flow directly requires that the user gives the client application their credentials instead of the IDP handling them. Which is not the most ideal scenario, in fact note this warning straight from Microsoft:
> [!WARNING] âš 
> Microsoft recommends you do *not* use the ROPC flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows aren't viable.    
    
### Why?
If you are asking to yourself why? It is because the user is trusting the application directly with their credentials, where with other flows you go through the Identity Provider (IDP) which is trustworthy and the application is never touching your credentials.

## Limitations
There are quite a bit of limitations with this flow. I will highlight some of them below:
- Personal accounts can't be used with ROPC Flow
- Must specify the `tenant` or use the `organizations` endpoint
- Accounts without passwords (SMS Sign-in, FIDO, Authenticator) won't work (you need the password!)

For a more detailed list checkout: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc


---    

Import the `OAuth2_Flows` + `sys` and `pyperclip` packages.

In [None]:
import sys
sys.path.append('../')
import OAuth2_Flows
import pyperclip

Below are all the parameters required to execute the ROPC Flow

In [None]:
tenant_id = ''
client_id = ''
redirect_uri = 'https://localhost:44321/'

scope = 'openid profile email offline_access https://graph.microsoft.com/.default' #offline_access is required for refresh token

In [None]:
username = input('Enter your username: ')
#username = '' #if you want to hardcode the username

In [None]:
password = input("Enter password: ")
#password = '' #if you want to hardcode the password

In [None]:
client_secret = input("Enter client secret: ")
#client_secret = '' #if you want to hardcode the client secret

In [None]:
access_token, refresh_token, id_token  = OAuth2_Flows.ropc(tenant_id, client_id, username, password, scope, client_secret=client_secret)
pyperclip.copy(access_token)
print(f'Access token copied to clipboard:\n{access_token}')

---    

### ADMIN CONSENT  
The App may need Admin Consent, to do this you can do it through the Portal or through a web browser request.
- Reference: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal#construct-the-url-for-granting-tenant-wide-admin-consent

> [!WARNING] Per the docs:
> Granting admin consent on behalf of an organization is a sensitive operation, potentially allowing the application's publisher access to significant portions of your organization's data, or the permission to do highly privileged operations.

#### Granting consent through the portal
Go to Application > API permissions > Grant admin consent

#### Granting consent via URL
Make a request to the URL: `https://login.microsoftonline.com/{organization}/adminconsent?client_id={client-id}`

In [None]:
tenant_id = ''
client_id = ''

In [None]:
URL = f'https://login.microsoftonline.com/{tenant_id}/adminconsent?client_id={client_id}'
pyperclip.copy(URL)
print(f'URL copied to clipboard:\n{URL}')