OAuth2 Password Grant Flow Not Working in ABP.IO API

[yash202]

I'm attempting to get an access token programmatically through the /connect/token endpoint using the password grant flow. While the identity service works perfectly in the web interface, I'm having trouble getting tokens via direct API calls.

Current Approach:

http
POST https://localhost:44387/connect/token
Content-Type: application/x-www-form-urlencoded

grant_type=password
username=yash
password=Yash@123
client_id=IdentityService_Swagger
scope=IdentityService openid

Error Received:

json
{
"error": "unauthorized_client",
"error_description": "This client application is not allowed to use the token endpoint."
}

Additional Context:

The web version (interactive flow) works fine - users can login through the UI

Same credentials work in the web flow

Need this for automated testing and service-to-service auth

Using ABP.IO's built-in IdentityServer/OpenIddict implementation

What I've Verified:
✓ User credentials are correct
✓ Client ID exists in the system
✓ Scopes are registered
✓ Endpoint is reachable

Key Questions:

1. Can we access token through API?
2. Does ABP.IO require special configuration to enable password grant?
3. Are there additional security requirements for non-interactive flows?
4. Should I be using a different client_id for API access vs web access?
5. Is there any logging that would help diagnose why this client is being rejected?

[maliming]

hi

Your IdentityService_Swagger client/application needs the Permissions.Endpoints.Token permission.

https://github.com/abpframework/abp/blob/dev/modules/openiddict/app/OpenIddict.Demo.Server/EntityFrameworkCore/ServerDataSeedContributor.cs#L69

[yash202]

Thank you for quick response, but still getting the same error

Let me explain a bit, what I am trying here. I have created a boilerplate code for IdentitySerivice with microservice architecture using below command

abp new ABC.IdentityService --template app --database-provider ef --database-management-system sqlserver --ui none --mobile none --tiered --separate-identity-server --output-folder IdentityService

After running this command, solution is created and it is running as expected. And I am able to login in the web application of the identity service.

Now I am trying to get the token with the help of APIs. On trying this I am getting below error

{
"error": "unauthorized_client",
"error_description": "This client application is not allowed to use the token endpoint.",
"error_uri": "https://documentation.openiddict.com/errors/ID2063"
}

As per your suggestion, I have added the permission in OpenIddictDataSeedContributor.cs class in below fashion

// Swagger Client
var swaggerClientId = configurationSection["IdentityService_Swagger:ClientId"];
if (!swaggerClientId.IsNullOrWhiteSpace())
{
var swaggerRootUrl = configurationSection["IdentityService_Swagger:RootUrl"]?.TrimEnd('/');

await CreateApplicationAsync(
    name: swaggerClientId!,
    type: OpenIddictConstants.ClientTypes.Public,
    consentType: OpenIddictConstants.ConsentTypes.Implicit,
    displayName: "Swagger Application",
    secret: null,
    grantTypes: [
        OpenIddictConstants.GrantTypes.AuthorizationCode, 
        OpenIddictConstants.GrantTypes.ClientCredentials, 
        OpenIddictConstants.GrantTypes.RefreshToken, 
        OpenIddictConstants.GrantTypes.Password
        ],
    scopes: [
        OpenIddictConstants.Permissions.Scopes.Address,
        OpenIddictConstants.Permissions.Scopes.Email,
        OpenIddictConstants.Permissions.Scopes.Phone,
        OpenIddictConstants.Permissions.Scopes.Profile,
        OpenIddictConstants.Permissions.Scopes.Roles
        ],
    redirectUri: $"{swaggerRootUrl}/swagger/oauth2-redirect.html",
    clientUri: swaggerRootUrl,
    permissions: [
        OpenIddictConstants.Permissions.Endpoints.Token
        ]
);

}

I have this application in OpenIddictApplications database table

Id ApplicationType ClientId ClientSecret ClientType ConsentType DisplayName DisplayNames JsonWebKeySet Permissions PostLogoutRedirectUris Properties RedirectUris Requirements Settings ClientUri LogoUri ExtraProperties ConcurrencyStamp CreationTime CreatorId LastModificationTime LastModifierId IsDeleted DeleterId DeletionTime

DCBED2B0-60B4-461C-B2D2-75C154B53497 web IdentityService_Swagger null public implicit Swagger Client NULL NULL ["pm:token","pm:endpoint:token","pm:grant_type:password","pm:grant_type:refresh_token","pm:scope:email","pm:scope:profile","pm:scope:roles","pm:scope:IdentityService","pm:scope:offline_access", "pm:grant_type:client_credentials", "pm:grant_type:authorization_code"] ["https://localhost:44355/swagger/oauth2-redirect.html"] NULL ["https://localhost:44355/swagger/oauth2-redirect.html"] [] {} https://localhost:44355/swagger NULL {} B759294D-C8E8-48D7-8910-03714A610A95 2025-04-22 14:26:53.7800000 NULL NULL NULL 0 NULL NULL

I have added these scopes in OpenIddictScopes table

1. Id Description Descriptions DisplayName DisplayNames Name Properties Resources ExtraProperties ConcurrencyStamp CreationTime CreatorId LastModificationTime LastModifierId IsDeleted DeleterId DeletionTime

C54D124B-4F35-40B2-8ED5-304C65D0017D Offline Access NULL offline_access NULL offline_access {} [] {} 3FBA1582-0C4D-4697-8278-24F48C533A87 2025-04-22 14:26:32.9566667 NULL NULL NULL 0 NULL NULL

2. Id Description Descriptions DisplayName DisplayNames Name Properties Resources ExtraProperties ConcurrencyStamp CreationTime CreatorId LastModificationTime LastModifierId IsDeleted DeleterId DeletionTime

F48988B6-5599-4716-8D88-D84057460CB6 Identity Service NULL IdentityService NULL IdentityService {} ["IdentityService"] {} CB0F9F4F-6481-433E-853B-44777A48C7D1 2025-04-22 14:26:32.9566667 NULL NULL NULL 0 NULL NULL

I hope you got the understanding what we are doing here, please review will be waiting for your response.

[maliming]

You can upload your test project to GitHub.

[yash202]

Hello, this is the repo: https://github.com/yash202/IdentityService.ABP.IO

Contains the code, that I am trying to run. Please review.

[maliming]

hi

Your swagger client/application has no problem.

Can you share the full logs of the token request? Maybe you're using the wrong client ID.

https://github.com/yash202/IdentityService.ABP.IO/blob/main/src/OnlineRetail.IdentityService.Domain/OpenIddict/OpenIddictDataSeedContributor.cs#L93-L119

[yash202]

Please find logs for token request

Logs.ABP.IO.txt

[maliming]

Here is the code, and it works:

// Swagger Client
var swaggerClientId = configurationSection["IdentityService_Swagger:ClientId"];
if (!swaggerClientId.IsNullOrWhiteSpace())
{
	var swaggerRootUrl = configurationSection["IdentityService_Swagger:RootUrl"]?.TrimEnd('/');

	await CreateApplicationAsync(
		name: swaggerClientId!,
		type: OpenIddictConstants.ClientTypes.Public,
		consentType: OpenIddictConstants.ConsentTypes.Implicit,
		displayName: "Swagger Application",
		secret: null,
		grantTypes: [
			OpenIddictConstants.GrantTypes.AuthorizationCode,
			OpenIddictConstants.GrantTypes.ClientCredentials,
			OpenIddictConstants.GrantTypes.RefreshToken,
			OpenIddictConstants.GrantTypes.Password
			],
		scopes: [
			OpenIddictConstants.Permissions.Scopes.Address,
			OpenIddictConstants.Permissions.Scopes.Email,
			OpenIddictConstants.Permissions.Scopes.Phone,
			OpenIddictConstants.Permissions.Scopes.Profile,
			OpenIddictConstants.Permissions.Scopes.Roles,
			"IdentityService"
			],
		redirectUri: $"{swaggerRootUrl}/swagger/oauth2-redirect.html",
		clientUri: swaggerRootUrl
	);
}

[yash202]

I am getting the same response

Parameters:

grant_type:password
username:yash
password:Yash@123
client_id:IdentityService_Swagger
//client_secret:1q2w3e*
scope:IdentityService offline_access

Response:

{
"error": "unauthorized_client",
"error_description": "This client application is not allowed to use the token endpoint.",
"error_uri": "https://documentation.openiddict.com/errors/ID2063"
}

Could you please provide the changes you have done and cURL for the postman request.

[maliming]

You can migrate a new database and clear your Redis if you are using it.

[yash202]

Hello @maliming, I have migrated the database after creating application with suggested configuration. Below are the results

1. Result in postman

Parameters:

grant_type:password
username:admin
password:1q2w3E*
client_id:IdentityService_Swagger
scope:IdentityService offline_access

Response:

{
"error": "invalid_scope",
"error_description": "The specified 'scope' is invalid.",
"error_uri": "https://documentation.openiddict.com/errors/ID2052"
}

2. There are no records in table named 'OpenIddictApplications'
3. There are no records in table named 'OpenIddictScopes'

Note: Please provide your header details, so I can cross-check.

Please review all the details, and let me know what I need to check more. Or is I am missing something.

Thank You

[maliming]

hi @yash202

There are no records in table named 'OpenIddictApplications'
There are no records in table named 'OpenIddictScopes'

Please run this project to migrate the database.