29.04.2026
08:11
Referencing also to: https://community.webcon.com/forum/thread/8245
We are integrating WEBCON BPS with APIs that follow RFC 6749 OAuth 2.0 Authorization Framework and explicitly support the Resource Owner Password Credentials Grant (grant_type=password).
These APIs (in our case: core banking / backend systems) require both:
client authentication (client_id / client_secret via Basic Auth)
and user authentication (username / password in the token request)
Example token request:
POST /token
Authorization: Basic base64(client_id)
Content-Type: application/x-www-form-urlencoded
grant_type=password&username=USER&password=PASS&scope=default
Currently, WEBCON BPS does not support this OAuth flow in its REST authentication configuration.
Problem:
Because of this limitation, we are forced to implement an additional proxy / gateway layer that:
accepts a standard WEBCON call
performs the password grant flow internally
returns the access token unchanged
This introduces:
additional infrastructure complexity
extra maintenance effort
another critical component in the authentication chain
Requirement / Feature Request:
Add native support for OAuth 2.0 password grant in REST integrations, including:
Ability to configure grant_type=password
Fields for username and password in token request
Support for Basic Auth (client_id / client_secret)
Standard handling of access_token and refresh_token
Optional support for refresh_token flow
Additional Context:
We are aware that the password grant is not recommended for public clients, but it is still actively used in internal and trusted environments (as also stated in RFC 6749).
Supporting this flow would allow WEBCON to integrate directly with such systems without requiring a custom proxy layer.
Impact:
Simplifies integration with legacy and enterprise backend systems
Reduces architecture complexity
Removes need for custom authentication gateways
Improves maintainability and transparency
Thank you for considering this enhancement.
