OAuth Resource Owner Flow with additional contract parameter

OAuth Resource Owner Flow with additional contract parameter

The Resource Owner Flow is one of the modes in the OAuth protocol. In this flow, a user can authenticate using the IDP contract that uses form-based authentication. Sometime during client application development, the application expects more than user credentials and wants to use additional information such as user DOB, PAN Card, etc. In such cases, it is not possible to use default contracts. To achieve such use cases, NAM provides a functionality to create and use a custom contract class.

From Access Manager 4.3 onwards, it’s possible to define which contract must be executed based on the parameter value sent during OAuth request or it can be configured through the admin console oauth configuration section.

How it works:

Create a custom authentication class with the desired additional parameter (sample attached - MultiParameterAuthClass). To learn more about how to use sample class, check the access manager developer documentation. How to deploy authentication class.

Define this either in the Oauth Resource Owner Configuration UI in the global setting or pass this parameter as acr value of the Oauth Resource owner request.

Note: This will work with NAM 4.4. For an alternate option, "Send additional param as part of password by some delimiter not contained in usual password like ppp$param2$param3. Let the custom auth class split the password into constituent part and validate."




Let us consider a scenario where a client application requires the user's PAN number along with the user's credentials for authentication. For this requirement, the administrator can configure Access Manager using the following steps:

    1. Create custom claas based on the provided sample file.


    1. Add custom class created in step 1 to Oauth global configuration.


    1. Update IDP server.

Testing the Authentication:

Create a resource owner flow request such as the following:

Case 1: When Parameters are correct:

curl -v -k -X POST -d 'grant_type=password&client_id=9fb726a1-1dd0-4717-874-bfc34b90d423&client_secret=j-L5uKeRnarmPNuoXos-h1EqeUjR3AWSZvwwDNtxbONEvmCI3vu0kPAMKQBGxkHvdfqkNXiXC-SmodPRoqFFBQ&username=vneeraj&password=novell&pan=pan123&acr=/custom/contract' https://sles12-acidp.labs.blr.novell.com:8443/nidp/oauth/nam/token

For information on the parameter click here.

If all of the parameters in the request are correct, the server will return the token and refresh token (optionally).

Case 2: In case parameter PAN value is incorrect:

{        "error":"invalid_grant",

"error_description":"invalid_grant: Invalid pan"





Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
2 of 2
Last update:
‎2020-01-31 11:52
Updated by:
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.