Skip to content

Add Resource Owner Password Grant (ROPG) support#68

Closed
subhankarmaiti wants to merge 1 commit intomainfrom
feat/resource-owner-password-grant
Closed

Add Resource Owner Password Grant (ROPG) support#68
subhankarmaiti wants to merge 1 commit intomainfrom
feat/resource-owner-password-grant

Conversation

@subhankarmaiti
Copy link
Contributor

@subhankarmaiti subhankarmaiti commented Jan 21, 2026
edited
Loading

Adds support for the Resource Owner Password Grant flow, allowing highly-trusted applications to authenticate users directly with username and password.

Changes

New API:

  • get_token_by_password(options: TokenByPasswordOptions) method on ServerClient

New Types:

  • TokenByPasswordOptions - Pydantic model for authentication options
  • TokenByPasswordError - Custom error for authentication failures

Features

  • Username/password authentication via /oauth/token endpoint
  • Optional audience, scope, and realm parameters
  • IP forwarding support via auth0_forwarded_for for server-side apps
  • Session management with state store integration
  • Comprehensive error handling (invalid credentials, MFA required, account blocked, rate limiting)

References

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 21, 2026
View reviewed changes
src/auth0_server_python/tests/test_server_client.py
mocker.patch("httpx.AsyncClient", return_value=mock_httpx_client)

# Act
result = await client.get_token_by_password(

Check notice

Code scanning / CodeQL

Unused local variable Note test

Variable result is not used.

Copilot Autofix

AI 19 days ago

To fix this, the unused local variable should be removed while preserving the side effect of calling client.get_token_by_password(...). In Python, the idiomatic way is to simply await the coroutine without assigning it, or, if a placeholder is needed, assign it to _. Since the test only cares that the HTTP request was made with specific parameters (checked via mock_httpx_client.post.call_args), it does not need the returned token.

Concretely, in src/auth0_server_python/tests/test_server_client.py, at lines 2058–2066, remove the result = assignment and keep the await expression as a standalone statement. No imports or additional definitions are required, and no other parts of the file need to be changed.

Suggested changeset 1
src/auth0_server_python/tests/test_server_client.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/auth0_server_python/tests/test_server_client.py b/src/auth0_server_python/tests/test_server_client.py
--- a/src/auth0_server_python/tests/test_server_client.py
+++ b/src/auth0_server_python/tests/test_server_client.py
@@ -2055,7 +2055,7 @@
     mocker.patch("httpx.AsyncClient", return_value=mock_httpx_client)
 
     # Act
-    result = await client.get_token_by_password(
+    await client.get_token_by_password(
         TokenByPasswordOptions(
             username="user@example.com",
             password="secure_password",
EOF
@@ -2055,7 +2055,7 @@
mocker.patch("httpx.AsyncClient", return_value=mock_httpx_client)

# Act
result = await client.get_token_by_password(
await client.get_token_by_password(
TokenByPasswordOptions(
username="user@example.com",
password="secure_password",
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@subhankarmaiti