[Django]-Django-oauth2-provider: get the token without sending the client_secret

1. Set Authorization Grant Type as Resource owner password-based
2. Put WSGIPassAuthorization On at same place as WSGIScriptAlias

You need to create a client through django admin UI and replace “MY_CLIENT_ID” with the ID.

“Client type” of application should be “public”

Just to combine solutions. This is what worked for me. Follow through on the Getting Started guide. However, on creating the application, provide the following:

• Name: A name of your choosing
• Client Type: Public
• Authorization Grant Type: Resource owner password-based

Then the request should be:

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=password&username=<username>&password=<password>&client_id=<client_id>" http://localhost:8000/o/token/

or, if JSON,
to settings.py add:

OAUTH2_PROVIDER = {
    # expect request body Content Type application/json
    'OAUTH2_BACKEND_CLASS': 'oauth2_provider.oauth2_backends.JSONOAuthLibCore'
}

curl -X POST \
  http://localhost:8000/o/token/ \
  -H 'Content-Type: application/json' \
  -d '{
    "grant_type": "password",
    "client_id": "<client_id>",
    "username": "<username>",
    "password": "<password>"
}'

You should use password grant type. The following curl command works with django-oauth-toolkit. I believe it should work with any other oauth provider as well.

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=password&username=user&password=pass&client_id=client_id' 'http://localhost:8000/o/token/'

Please see the following link for more info: https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#password