I am trying to set up OAuth2 for Django + Rest Framework using Django OAuth Toolkit, and here's the puzzle I can't understand when using "Resource owner password-based" authorization type.
I can successfully get access_token for the same user that registered the Application (Client Owner) using:
However, when I try to use same client_id and client_secret, but change the username and password for a different user, I get
{
"error_description": "Invalid credentials given.",
"error": "invalid_grant"
}
So it seems like the registered application can only use one "resource owner" - the "application (client) owner" itself, which makes "resource owner password-based" authorization type useless, since it acts the same way as "client credentials" but without using "username" and "password". In other words, I need the registered application to act on behalf of another user, and not the user that has registered the application (me), but I can't get around it.
Of course I always can write custom authorization code, but shouldn't it be supported out of the box (I wonder)?
django-oauth-toolkitfollows the rfc. Try to set a new app, from scratch, and do it again. If it doesn't work add more info – NBajanca