8.5 Configuring Events

Here you can configure the supported applications / events to where the Advanced Authentication server will authenticate.

To configure an authentication event for Advanced Authentication, follow the steps:

Open the Events section.
Click the Edit button next to an applicable event.
Select whether the current event is enabled or disabled by clicking the Is enabled toggle button.
Select the event type.
Select the authenticator category, if applicable.
Select chains that will be assigned to the current event.
If you want to restrict access of some Endpoints to the Event, add all the Endpoints that must have access to the Endpoint whitelists. The remaining Endpoints are blacklisted automatically. If you leave the Endpoints whitelist blank, all the endpoints are permitted.
Select the Geo-fencing option if you want to enable geo-fencing. Add the permitted zones to the Used list. To know more on configuring geo-fencing, see the Smartphone method.

NOTE:You must enable the policy Geo fencing options to use the geo fencing functionality
Select Allow Kerberos SSO, if you want to enable single sign-on to the Advanced Authentication Portals. Kerberos SSO is supported for AdminUI, Authenticators Management, Helpdesk and Report logon events

NOTE:To use Kerberos SSO feature, you must configure Kerberos SSO Options policy and upload a keytab file.
Click Save at the bottom of the Events view to save configuration.

If you need to revert the changes to defaults use the Initialize default chains button.

NOTE: If you have specified more than one chain with one method (For example "LDAP Password", "LDAP Password+Smartphone") and assigned it to the same group of users and the same Event, the top chain is always used if the user has all the methods in the chain enrolled. An exception is usage of a high-security chain and its appropriate simple chain, where the simple chain must be higher than its high-security chain.

HINT:It's recommended to have a single chain with Emergency Password method at a top of the Used chains list in Authenticators Management event and other events which are used by users. The chain will be ignored while user doesn't have the Emergency Password enrolled. The user will be able to use the Emergency Password immediately when security officer enrolled the user the Emergency Password authenticator.

To create a custom event for a third-party application, click Add below the available Events list. Then, perform the following steps:

Specify a name for the event.
Enable the event by changing Is enabled to ON.
Select one of the following events.
- Select OS Logon (domain) if the third-party application needs to read password of a user after authentication. For example, it is required when Windows Client, Mac OS X Client or Linux PAM Client workstation is joined/bound to a domain.
- Select OAuth2 if you need to create an OAuth 2.0 event.
- Select SAML2 if you need to create an SAML 2.0 event.
- Select Generic otherwise (including a case if Windows Client, Mac OS X Client or Linux PAM Client workstation is not joined/bound to a domain).
Select the Authenticator category.
Select the chains that will be assigned to the event.
Select the required endpoints from Endpoint whitelist (if applicable). Access to the event from other endpoints will be restricted.
Enable/Disable the geo-fencing.

NOTE:You must enable the policy Geo fencing options to use the geo fencing functionality.

Geo-fencing requires a smart phone. If you use the geo-fencing feature, then ensure that access to the location is enabled for the NetIQ Advanced Authentication app on the smartphone. For more information on enabling geo-fencing on smartphone see Smartphone.
Specify the redirect URLs, if you have selected OAuth2 event. OAuth 2 settings are available only for OAuth2 events.

IMPORTANT:WebAuth feature must be enabled in Server Options before configuring OAuth2 event.

NOTE:The client ID and client secret is generate automatically. Client ID, client secret and redirect URL will be consumed by consumer web application. After successful authentication, the redirect URL web page specified in the event is displayed.
Enable/disable the Use for Owner Password Credentials option. Advanced settings are available only for OAuth2 events.
- Set the Use for Owner Password Credentials option to ON, if the consumer web application provides authorization in the form of Resource Owner Password Credentials Grant.
- Set the Use for Owner Password Credentials option to OFF, if the consumer web application provides authorization in the form of Authorization Code Grant or Implicit Grant.
NOTE:If you enable Use for Owner Password Credentials option, then you can use only LDAP Password only chain for this event. Also, it is recommended to have separate events for Resource Owner Password Credentials Grant (Use for Owner Password Credentials option set to ON) and Authorization Code Grant / Implicit Grant (Use for Owner Password Credentials option set to OFF).
If you have selected SAML2 event, then in the SAML 2.0 settings section, either insert your Service Provider's SAML 2.0 metadata to the SP SAML 2.0 metadata field OR click Choose File and select a Service Provider's SAML 2.0 metadata XML file to upload it.

NOTE:For the SAML2 event to function properly, the SAML 2.0 options policy has to be configured.
Click Save.

If you have created a custom OAuth 2 event, then perform the following steps to access consumer web application:

Specify the client ID, client secret and redirect URLs in the consumer web application.
Specify the Appliance end point (Authorization end point) in the web application. For example, https://<Appliance IP>/osp/a/TOP/auth/oauth2/grant

NOTE: Authorization is provided in the form of Authorization Code Grant or Implicit Grant or Resource Owner Password Credentials Grant.
Authenticate with the required authentication method(s) to access the consumer web application.

For more information on OAuth 2.0 event, see OAuth 2.0 Roles, OAuth 2.0 Modes, OAuth 2.0 Sample Web Application, and Exploring Sample Web Application.

The following predefined events are available.

8.5.1 ADFS

This event is used to configure integration with ADFS.For more information, see Configuring Advanced Authentication Server in the ADFS Plug-in Installation guide.

8.5.2 AdminUI

This event is used for accessing this Administrative Portal. You can configure which chains can be used to get access to /admin.

NOTE:You can add authorized users or group of users from a configured repository to the FULL ADMINS role (in Repositories - Local). After this, you must assign the chains in which the methods are enrolled for users with the AdminUI event (at a minimum with an LDAP Password).

8.5.3 Authenticators Management

This event configures the chains that can be used to access the Self-Service Portal. Users can enroll any of the methods that are configured for any chain they are a member of the group assigned to the chain.

You may post a LDAP Password chain to the bottom of the used chains list to secure access to the portal for users who already has enrolled methods.

IMPORTANT:If there are no users in a configured repository which has access to the Administrative Portal, a chain with Password only (Authenticators Management - Password) must be enabled for the Authenticators Management event. This helps in accessing the Self-Service Portal when a used password expires and has to be changed.

You can also perform basic authentication with Advanced Authentication.

To achieve basic authentication, in the Event Edit screen for Authenticators Management, set the Allow basic authentication option to ON.

NOTE:The basic authentication is supported only for the Authentication Management event and for the Password (PIN), LDAP Password, and HOTP methods.

You must enter /basic with the URL to login to the enrollment page. The Login page appears and the format of the Username you must provide is: username:PASSWORD|LDAP_PASSWORD|HOTP:1. For example: admin:PASSWORD:1.

When you login to the Self Service portal, by default, the chain with the highest priority is displayed. To display the other chains with the enrolled methods, you can turn the Show chain selection option to ON. This helps you to view the list of available chains and then select one of them.

NOTE:The chains are displayed with the enrolled methods only.

8.5.4 Helpdesk

This event is used for accessing the Helpdesk Portal by Helpdesk/Security officers.

8.5.5 Helpdesk User

This event is used to authenticate users in the Helpdesk portal when the Helpdesk administrator is already authenticated. The event is used when the Ask credentials of management user option in the Helpdesk Options policy is enabled.

8.5.6 Linux Logon

This event configures the chains that can be used to log on to Linux. If you want to use Linux Client on non-domain joined workstations, change the Event type from OS Logon (domain) to OS Logon (local).

8.5.7 Mac OS logon

This event configures the chains that can be used to log on in Apple Mac OS. If you want to use Mac OS Client on non-domain joined workstations, change the Event type from OS Logon (domain) to OS Logon (local).

8.5.8 NAM

The Advanced Authentication server supports integration with Advanced Authentication Access Manager. Advanced Authentication Access Manager Advanced Authentication plug-in must be installed and configured on a NAM appliance and User Stores must be added for the used repositories.

8.5.9 NCA

The Advanced Authentication server supports integration with Advanced Authentication CloudAccess. CloudAccess must be configured to use Advanced Authentication as an authentication card and User Stores must be added for the used repositories. Check the Advanced Authentication CloudAccess documentation.

Radius Server

The Advanced Authentication server contains a built-in RADIUS server that is able to authenticate any RADIUS client using one of chains configured for the event.

8.5.10 Report logon

This event allows you to configure the chains and user categories that can be used to sign-in to the Advanced Authentication - Reporting Portal.

8.5.11 Windows logon

This event configures the chains that can be used to log on in Microsoft Windows.

In an event you can configure a prioritized list of chains that can be used to get access to that specific event. If you want to use Windows Client on non-domain joined workstations, change the Event type from OS Logon (domain) to OS Logon (local).

8.5.12 Radius Server

The Advanced Authentication server contains a built-in RADIUS server that is able to authenticate any RADIUS client using one of chains configured for the event.

IMPORTANT:Currently the built-in RADIUS Server supports only PAP.

The RADIUS Server supports all authentication methods except Card, FIDO U2F, Fingerprint, Notaris ID, and PKI.

Single-factor authentication with a Smartphone method is not supported for RADIUS by the in-built design. It is recommended to use it in a two-factor chain with LDAP Password method.

To configure an authentication event for Advanced Authentication, follow the steps:

Open the Events section.
Click the Edit button next to the Radius Server event.
Ensure that the event has Is enabled option set to ON.
Select chains that will be assigned to the event*.
Select Radius from Endpoint whitelists.
Click Add button to add a Radius Client assigned to the event:
- Specify the Radius Client name in the Name text field.
- Enter an IP address of the Radius Client.
- Enter the Radius Client Secret and Confirmation.
- Ensure that the Radius Client is set to ON.
- Click the save button next to the Radius Client.
- Add more Radius Clients if necessary.
Click Save at the bottom of the Events view to save configuration.

IMPORTANT:When you specify more than one Chain to use with the Radius Server, follow one of the described ways:

Each assigned Chain of the RADIUS event may be assigned to a different LDAP group. E.g. LDAP Password+Smartphone chain is assigned to a Smartphone users group, LDAP Password+HOTP chain is assigned to a HOTP users group. If a RADIUS user is a member of the both groups, a top group will be used.
It's possible to use the RADIUS authentication using any Chain when entering <username> <chain shortname> in username field. E.g. pjones sms. Ensure that you have the short names specified for the used Chains. Usage of the option may be not admissible in your RADIUS client (like in FortiGate).

IMPORTANT:If you use the LDAP Password+Smartphone chain it is possible to use an offline authentication by entering the following data in the password field: <LDAP Password>&<Smartphone OTP>. E.g. Q1w2e3r4&512385. The same use case is supported for LDAP Password+OATH TOTP, LDAP Password+OATH HOTP, Password+Smartphone, Password+OATH TOTP, Password+OATH HOTP.

NOTE:When multitenancy is enabled, you can use one of the following forms of user name:

<repository_name>\<username>
<tenant_name>\<repository_name>\<username>
<username>@<tenant_name>
<repository_name>\<username>@<tenant_name>

NOTE:The Advanced Authentication Framework stores the Radius Event settings only on a server where administrator performs the configuration (usually this is DB Master server). After conversion of DB Slave server to DB Master server the configuration may be lost. Open the Radius Event settings and click Save to apply the configuration.

For information on how to configure integrations with the third-party solutions, see Section 12.0, Configuring Integrations.

OAuth 2.0 Event

This section describes the roles and modes used in OAuth 2.0 event.

OAuth 2.0 Roles

OAuth 2.0 event consists of the following 4 roles:

Resource Owner: An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user.
Resource Server: The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
Client: An application making protected resource requests on behalf of the resource owner and with its authorization. The term "client" does not imply any particular implementation characteristics.
Authorization Server: The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.

OAuth 2.0 Modes

For more information on OAuth 2.0 modes, see the website.

Authorization Code

The workflow for authorization code involves the following steps:

The OAuth client initiates the flow when it directs the user agent of the resource owner to the authorization endpoint. The OAuth client includes its client identifier, requested scope, local state, and a redirection URI.
The authorization server authenticates the resource owner through the user agent and establishes whether the resource owner grants or denies the access request.
If the resource owner grants access, the OAuth client uses the redirection URI provided earlier to redirect the user agent back to the OAuth client. The redirection URI includes an authorization code and any local state previously provided by the OAuth client.
The OAuth client requests an access token from the authorization server through the token endpoint. The OAuth client authenticates with its client credentials and includes the authorization code received in the previous step. The OAuth client also includes the redirection URI used to obtain the authorization code for verification.
The authorization server validates the client credentials and the authorization code. The server also ensures that the redirection URI received matches the URI used to redirect the client in Step 3. If valid, the authorization server responds back with an access token.

Implicit Grant

The workflow for implicit grant involves the following steps:

The OAuth client initiates the flow by directing the user agent of the resource owner to the authorization endpoint. The OAuth client includes its client identifier, requested scope, local state, and a redirection URI. The authorization server sends the user agent back to the redirection URI after access is granted or denied.
The authorization server authenticates the resource owner through the user agent and establishes whether the resource owner grants or denies the access request.
If the resource owner grants access, the authorization server redirects the user agent back to the client using the redirection URI provided earlier. The redirection URI includes the access token in the URI fragment.
The user agent follows the redirection instructions by making a request to the web server without the fragment. The user agent retains the fragment information locally.
The web server returns a web page, which is typically an HTML document with an embedded script. The web page accesses the full redirection URI including the fragment retained by the user agent. It can also extract the access token and other parameters contained in the fragment.
The user agent runs the script provided by the web server locally, which extracts the access token and passes it to the client.

OAuth 2.0 Sample Web Application

To create a sample web application you need Python v3 (the sample script prepared on v3.4.3).The following web application demonstrates all the functionalities supported by OAuth 2.0 integration. OAuth 2.0 server is an authorization and resource server. As an authorization server the user has to go through authentication chains. As a resource server some user details are provided.You have to create the following 5 files:

Sample script (oauth2_test.py)

1.  from bottle import Bottle, request, run, redirect, SimpleTemplate, template  
2.	from urllib.parse import urlparse, urlunparse, urlencode,quote  
3.  import urllib.request  
4.	import base64  
5.  import ssl  
6.	import json  
7.    
8.	app = Bottle()  
9.    
10.	client_id = 'id-rSCzuBLQgXCATfkXZ4fsedAo8sPsWxSs'  
11.  client_secret = 'secret-91DpzWFD26RriURR7KJ1pryFx7V9QeDm'  
12.	redirect_uri = 'http://localhost:8088/'  # this app callback URI  
13.  authorization_endpoint = 'https://192.168.0.151/osp/a/TOP/auth/oauth2/grant'  
14.  attributes_endpoint = 'https://192.168.0.151/osp/a/TOP/auth/oauth2/getattributes'  
15.  state = {}  
16.	 
17.  @app.get('/getattr')  
18.	def get_attributes():  
19.      params = urlencode({  
20.	        'attributes': 'client username userRepository user_dn user_cn mail sid upn netbiosName',  
21.	        'access_token': state['access_token']  
22.      })  
23.	    url = attributes_endpoint + '?' + params  
24.      print('getattr url: {}\n'.format(url))  
25.	    req = urllib.request.Request(url)  
26.      gcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)  # avoid cert checking  
27.	    with urllib.request.urlopen(req, context=gcontext) as response:  # perform GET request and read response  
28.	        rsp = response.read()  
29.      attributes = json.loads(rsp.decode('utf-8'))  
30.	    return template('attributes.html', items=attributes.items(), refresh_token=urllib.parse.quote(state['refresh_token']))  
31.	 
32.   
33.	@app.get('/')  
34.  def do_get():  
35.	    code = request.query.get('code')  
36.      if code:  
37.	        # got code from OAuth 2 authentication server  
38.          token = get_token_code(code)  
39.	        state.update(token)  
40.          return template('token.html', items=token.items(), refresh_token=urllib.parse.quote(token['refresh_token']))  
41.      else:  
42.	        return template('main.html')  
43.   
44.	 
45.  @app.get('/logon')  
46.	def do_logon():  
47.      pr=list(urlparse(authorization_endpoint))  
48.	    # set query  
49.      pr[4]=urlencode({  
50.	        'response_type': 'code',  
51.          'client_id': client_id,  
52.	        'redirect_uri': redirect_uri  
53.      })  
54.	    # perform redirection to OAuth 2 authentication server  
55.      redirect(urlunparse(pr))  
56.	 
57.  @app.get('/logon-implicit')  
58.	def do_logon_implicit():  
59.      # parse authorization_endpoint URL  
60.	    pr = list(urlparse(authorization_endpoint))  
61.      # set query  
62.	    pr[4] = urlencode({  
63.          'response_type': 'token',  
64.	        'client_id': client_id,  
65.      })  
66.	    # perform redirection to OAuth 2 authentication server  
67.      redirect(urlunparse(pr))  
68.	 
69.  @app.get('/logon-creds')  
70.	def do_logon_creds():  
71.      return template('logonform.html')  
72.	 
73.  @app.post('/logon-creds')  
74.	def do_logon_creds_post():  
75.      username = request.forms.get('username')  
76.	    password = request.forms.get('password')  
77.      token = get_token_password(username, password)  
78.	    state.update(token)  
79.      return template('token.html', items=token.items(), refresh_token=urllib.parse.quote(token['refresh_token']))  
80.    
81.	def get_token_password(username, password):  
82.      # prepare POST parameters - encode them to urlencoded  
83.	    data = urlencode({  
84.          'grant_type': 'password',  
85.	        'username': username,  
86.          'password': password  
87.	    })  
88.      data = data.encode('ascii')  # data should be bytes  
89.	    resp_text = post_data(data, prepare_headers())  
90.      print(resp_text)  
91.	    return json.loads(resp_text)  
92.   
93.	@app.get('/refresh')  
94.  def do_refresh():  
95.	    token = refresh_access_token(request.query.get('refresh_token'))  
96.      state.update(token)  
97.	    return template('token.html', items=token.items(), refresh_token=state.get('refresh_token', ''))  
98.	  
99.  def get_token_code(code):  
100.	    # prepare POST parameters - encode them to urlencoded  
101.      data = urlencode({  
102.	        'grant_type': 'authorization_code',  
103.          'code': code,  
104.	        'redirect_uri': redirect_uri  
105.      })  
106.	    data = data.encode('ascii')  # data should be bytes  
107.      resp_text = post_data(data, prepare_headers())  
108.	    print(resp_text)  
109.      return json.loads(resp_text)  
110.	  
111.  def refresh_access_token(refresh_token):  
112.	    print('refresh_token: {}'.format(refresh_token))  
113.      # prepare POST parameters - encode them to urlencoded  
114.	    data = urlencode({  
115.          'grant_type': 'refresh_token',  
116.	        'refresh_token': refresh_token,  
117.      })  
118.	    data = data.encode('ascii')  # data should be bytes  
119.      resp_text = post_data(data, prepare_headers())  
120.	    print(resp_text)  
121.      return json.loads(resp_text)  
122.	  
123.  def prepare_headers(use_content_type_hdr = True):  
124.	    hdrs = {  
125.          'Authorization': 'Basic {}'.format(base64.b64encode(  
126.	            '{}:{}'.format(quote(client_id, safe=''), quote(client_secret, safe='')).encode('ascii')).decode(  
127.	            'ascii')),  
128.      }  
129.	    if use_content_type_hdr:  
130.          hdrs.update({'Content-type': 'application/x-www-form-urlencoded'})  
131.      return hdrs  
132.    
133.  def post_data(data, headers):  
134.      print('post_data\nheaders:\n{}\ndata:\n{}'.format(headers, data))  
135.      req = urllib.request.Request(authorization_endpoint, data, headers)  
136.      gcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)  # avoid cert checking  
137.	    with urllib.request.urlopen(req, context=gcontext) as response:  # perform POST request and read response  
138.	        rsp = response.read()  
139.      return rsp.decode('utf-8')  
140.	  
141.  run(app, host='0.0.0.0', port=8088)

NOTE:In the script you need to change values for client_id, client_secret, and Advanced Authentication Server address in authorization_endpoint and attributes_endpoint (lines 10-14).

Main menu (main.html)

1.  <!DOCTYPE html>  
2.	<html>  
3.  <head lang="en">  
4.	    <meta charset="UTF-8">  
5.      <title></title>  
6.	    <script type="text/javascript">  
7.           //<![CDATA[ 
8.	            function getHashParam(name) { 
9.                  var hash = window.location.hash; 
10.	                if (hash) { 
11.                      if (name = (new RegExp('[#&]' + encodeURIComponent(name) + '=([^&]*)')).exec(hash)) 
12.                      return decodeURIComponent(name[1]); 
13.	                } 
14.              } 
15.	            function showResult() { 
16.                  if (window.location.hash) { 
17.	                    document.getElementById('result').innerHTML = '<table border="1">'+ 
18.	                        '<tr><td>access_token</td><td>'+getHashParam('access_token')+'</td></tr>'+ 
19.	                        '<tr><td>token_type</td><td>'+getHashParam('token_type')+'</td></tr>'+ 
20.	                        '<tr><td>expires_in</td><td>'+getHashParam('expires_in')+'</td></tr>'+ 
21.	                        '</table>'; 
22.                  } else { 
23.	                    document.getElementById('result').innerHTML = 'Implicit granted token is not found'; 
24.	                } 
25.              } 
26.	          // ]]>  
27.          </script>  
28.	</head>  
29.  <body onload="showResult();">  
30.	<div id="result">result</div><br/>  
31.  <br/>  
32.	Click <a href="/logon">here</a> to obtain an authentication token through Authorization Code Grant<br/>  
33.	Click <a href="/logon-implicit">here</a> to obtain an authentication token through Implicit Grant (the token will be received in hash part of THIS page)<br/>  
34.  Click <a href="/logon-creds">here</a> to obtain an authentication token through Resource Owner Password Credentials Grant<br/>  
35.  </body>  
36.	</html>

Token information (token.html)

1.  <!DOCTYPE html>  
2.	<html>  
3.  <head lang="en">  
4.	    <meta charset="UTF-8">  
5.      <title></title>  
6.	</head>  
7.  <body>  
8.	Token<br/>  
9.  <table border="1">  
10.	    % for k, v in items:  
11.      <tr>  
12.	        <td>{{k}}</td>  
13.          <td>{{v}}</td>  
14.	    </tr>  
15.      % end  
16.	</table>  
17.  <br/>  
18.	<a href="/getattr">Get attributes</a><br/>  
19.  <a href="/refresh?refresh_token={{refresh_token}}">Refresh token</a>  
20.	</body>  
21.  </html>

Attributes information (attributes.html)

1.  <!DOCTYPE html>  
2.	<html>  
3.  <head lang="en">  
4.	    <meta charset="UTF-8">  
5.      <title></title>  
6.	</head>  
7.  <body>  
8.	Attributes<br/>  
9.  <table border="1">  
10.	    % for k, v in items:  
11.      <tr>  
12.	        <td>{{k}}</td>  
13.          <td>{{v}}</td>  
14.	    </tr>  
15.      % end  
16.	</table>  
17.  <br/>  
18.	<a href="/refresh?refresh_token={{refresh_token}}">Refresh token</a>  
19.  </body>  
20.	</html>

Logon form for Resource Owner Password Credentials Grant mode (logonform.html)

1.  <!DOCTYPE html>  
2.	<html>  
3.  <head lang="en">  
4.	    <meta charset="UTF-8">  
5.      <title></title>  
6.	</head>  
7.  <body>  
8.	<form method="post" action="/logon-creds">  
9.      User name: <input type="text" name="username"><br/>  
10.	    Password: <input type="password" name="password"><br/>  
11.      <input type="submit">  
12.	</form>  
13.  </body>  
14.	</html>

Exploring Sample Web Application

Run the script: python oauth2_test.py.
Open the URL: http://localhost:8088.

A message is displayed with the following modes to select:
- Authorization Code Grant
- Implicit Grant (the token will be received in hash part of THIS page)
- Resource Owner Password Credentials Grant (is not supported by default but it can be activated in AAF)
Use the required grant based on your requirement.

Authorization Code Grant
1. Ensure that Use for Owner Password Credentials option is set to OFF in Advanced settings section for the used OAuth2 event.
2. Click the first link. NetIQ Access page will be displayed with Username request.
3. Enter the Username.
4. Click Next.
5. Authenticate using all required methods of used chain. The result page shows the access_token, token_type and expires_in.
  - Click Get attributes to look at the attributes.
  - Click Refresh token to refresh token. The access_token value will be updated.
Implicit Grant
1. Ensure that Use for Owner Password Credentials option is set to OFF in Advanced settings section for the used OAuth2 event.
2. Click the second link. NetIQ Access page will be displayed with Username request.
3. Enter the Username.
4. Click Next.
5. Authenticate using all required methods of used chain. The result page shows the access_token, token_type and expires_in.
Resource Owner Password Credentials Grant
1. Open Advanced settings section for the used OAuth2 event.
2. Set Use for Owner Password Credentials option is to ON.
3. Click the third link. A request for Username and Password will be displayed.
4. Enter the username and password and then click Submit. The result page shows the access_token, token_type and expires_in.