Saturday, 15 Jun 2024

Direct Login Migration

This guide is designed to assist developers in migrating their applications away from the password grant (direct login) flow, which generates OAuth tokens by providing a username and password. It is important to note that new OAuth clients created on this site will not function with a password grant flow. However, any client with the password grant enabled will continue to work for the foreseeable future.

To obtain a token using the direct login method, follow the steps outlined below:

  1. Step 1: Deprecated Flow – Obtain an access token by providing a username and password. This flow is deprecated and should be replaced.

  2. Step 2: Authorization Code Grant – Use the authorization_code grant type, as documented in the “How to obtain an access token” guide. This grant type is recommended for obtaining access tokens.

  3. Step 3: Refresh Tokens – Pair the authorization code grant with refresh tokens, as documented in the “How to obtain and use refresh tokens” guide. Refresh tokens allow for the seamless refreshing of access tokens.

Why is the Password Grant Flow Being Deprecated?

The password grant type allows for the exchange of a user’s credentials for an access token. However, due to security concerns and limited functionality, it is strongly advised against using this grant type. This flow does not support multifactor authentication or delegated accounts, making it impractical for many use cases. Additionally, end users are unable to control the scope of data accessed on their behalf, as they cannot accept or deny authorization scopes.

Tham Khảo Thêm:  Pro Tip: Securing Your Apps and Protecting Your Phone

The latest OAuth 2.0 Security Best Current Practice prohibits the use of the password grant entirely.

Common Use Cases

Integrations with Browser Access for GoTo End Users

If your integration provides browser access and your end users have GoTo credentials, you can utilize the authorization code grant flow. Users will need to enter the credentials used for the password grant flow. Refer to the “How to obtain an access token” guide to obtain an access token for your users. Refresh tokens can still be used to refresh the access token in the background, as explained in the “How to obtain and use refresh tokens” guide.

Integrations with System Users

If the username and password used in the password grant flow do not represent real end users, the authorization code flow may not be suitable for your integration. The migration process for such clients will be defined at a later stage, allowing you to continue using the password grant flow until then.

Caveats to the Authorization Code Grant and Refresh Tokens

Distributing Refresh Tokens

When a refresh token exchange returns a new refresh token and access token pair, the old refresh token becomes invalid. If the refresh token was already distributed, the new refresh token must be redistributed accordingly.

Human Interaction

At least one authentication by a human is required in the authorization code grant flow. Following authentication, the code will be exchanged by your service for a refresh token. This refresh token can be used continuously to obtain access tokens.

Tham Khảo Thêm:  How to Find, Change, and Remove Hotspot Password on Android

Refresh Tokens Expiration

When refresh tokens are close to expiration, the endpoint used to exchange the refresh token for an access token will provide a new refresh token. However, if the refresh token expires before this exchange occurs, the token will be considered invalid. In such cases, the user represented by the refresh token must authenticate again to provide a new authorization code via the authorization_code grant.

GoTo Assist Corporate API

Please note that the GoTo Assist Corporate API is not accessible using the authorization_code grant flow.

Frequently Asked Questions

  • Q: Can I still use the password grant flow for existing clients?
    A: Yes, existing clients with the password grant enabled will continue to function for the foreseeable future. However, it is recommended to migrate to the authorization code grant flow as soon as possible.

  • Q: What are the advantages of using the authorization code grant flow?
    A: The authorization code grant flow provides enhanced security, supports multifactor authentication and delegated accounts, and allows end users to control the scope of data accessed by integrations.

  • Q: How can I refresh access tokens using refresh tokens?
    A: Follow the steps outlined in the “How to obtain and use refresh tokens” guide to refresh access tokens seamlessly.

  • Q: Can I distribute refresh tokens to multiple users?
    A: Yes, refresh tokens can be distributed to multiple users. However, when refreshing tokens, ensure that the old refresh token is invalidated and the new refresh token is distributed accordingly.


Migrating from the deprecated password grant (direct login) flow to the more secure and versatile authorization code grant flow is essential for ensuring the safety and functionality of your applications. By following the recommended steps outlined in this guide, you can seamlessly transition your integrations and provide a better user experience. Embrace the latest OAuth 2.0 Security Best Current Practices and leverage the power of the authorization code grant flow and refresh tokens.

Tham Khảo Thêm:  How to Take Control of Your Inbox: Turning Off Email Notifications in Asana

For more information and updates, visit Eireview.