What is the purpose of grant_type parameter in OAuth 2 Authentication
The grant_type
URL parameter is required by OAuth2 RFC for the /token
endpoint, which exchanges a grant for real tokens. So the OAuth2 server knows what you are sending to it. You are using the Resource Owner Password Credentials Grant, so you must specify it with the value password
.
From the OAuth2 RFC:
An authorization grant is a credential representing the resource owner's authorization (to access its protected resources) used by the client to obtain an access token.
The grant_type=password
means that you are sending a username and a password to the /token
endpoint. If you used the Authorization Code Grant flow, you could use the value authorization_code
. But then you don't send the username+password pair, but a code received from the OAuth2 server after user authentication. The code is an arbitrary string - not human readable. It's nicely shown in the workflow diagrams in the RFC.