Niels, If you have any custom script for authentication, you need to 'enable' it from 'Manage Custom Scripts' and then from drop down menu of [Manage Authentication](https://gluu.org/docs/oxtrust/configuration/#manage-authentication) section, select your desired method.

Hi Mohib, Thanks for your quick reply. I was just browsing through the settings of the custom scripts and noticed that the Usage Type was set to Web. After I set it to Both Methods, the script was also used for the Resource Owner Password Credentials method. After doing so, I noticed that the credentials used inside the custom script, Identity.instance().getCredentials(), returns the credentials from the HTTP Auth Header and not from the POST body. Is this by design? Kind regards, Niels.

Interesting... if you look at the sample POST in the [docs](https://gluu.org/docs/integrate/oauth2grants/#resource-owner-password-credentials-grant) the client creds should be presented as `Authorization: Basic` header, and the username / password should be presented in the body. Did you see this documentation?

Yes, I read the docs you mentioned. In fact those docs pointed me to our current solution. We are sending the Gluu client id and secret in the `Authorization: Basic` header and the user credentials in the body. This is the python code I use for testing: ```python import requests session = requests.session() post = { 'grant_type': 'password', 'username': USERNAME, 'password': PASSWORD, 'scope': 'openid email profile', } response = session.post( auth=requests.auth.HTTPBasicAuth( username=CLIENT_ID, password=CLIENT_SECRET), headers={'Content-Type': 'application/x-www-form-urlencoded'}, url=ACCESS_TOKEN_ENDPOINT, verify=False, data=post ) ``` In the custom authentication script, our authenticate method looks as follows. `idp_requests` is a small python library we wrote that communicates between Gluu and our own IdP. ```python def authenticate(self, configurationAttributes, requestParameters, step): if step == 1: credentials = Identity.instance().getCredentials() username = credentials.getUsername() password = credentials.getPassword() if StringHelper.isEmpty(username) or StringHelper.isEmpty(password): print "[CUSTOM_AUTH] Username or password empty" return False if not idp_requests.check_credentials(username, password, configurationAttributes): print "[CUSTOM_AUTH] Login failed for username {}".format(username) return False ... ``` Gluu does hit our custom script, but the `idp_requests.check_credentials` call fails. The log message is `[CUSTOM_AUTH] Login failed for username CLIENT_ID` On a side note, if I use invalid credentials in the header, the wrapper.log shows `INFO [org.xdi.oxauth.auth.AuthenticationFilter] Basic authentication failed`, which is as expected.

One more thing: We have a second installation of Gluu that does not use custom scripts but stores users in the Gluu LDAP. On that machine, we can obtain the access token without problems.

In Resource Owner Password Credentials Grant case Token Endpoint is called directly with "direct" authentication by username and password. All custom authentication mechanism (scripts) are invoked during Authorization Endpoint call. For this please use Authorization Code or Implicit grant type.

What we are seeing is that once we set a custom Person Authentication script and we set the Usage type of that script to "Both methods", the custom script does get excecuted during the Token Endpoint call. Our problem is that the Credentials object returns the HTTP Authorization: Basic header's credentials (The Gluu client id as username and the gluu client secret as password) instead of the username/password from the POST.

We're sorry, but authentication scripts are not supported for OAuth2 Resource Owner Password Credential Grant.... In the [Token Endpoint](https://github.com/GluuFederation/oxAuth/blob/master/Server/src/main/java/org/xdi/oxauth/token/ws/rs/TokenRestWebServiceImpl.java#L210-210) we call authenticationService directly with user credentials ``` boolean authenticated = authenticationService.authenticate(username, password); ```