Disable resource owner password credentials (ROPC) in OAuth 2 token grants [New in Security Center 7.0]

  • 릴리스 버전: Australia
  • 업데이트 날짜 2026년 03월 12일
  • 소요 시간: 3분

    • Prevent Resource Owner Password Credentials (ROPC) from granting OAuth 2 tokens.

    By default, Resource Owner Password Credentials (ROPC) are allowed to grant OAuth 2 tokens on your instances when a client application directly requests an access token using a user name and password. When the glide.oauth.inbound.ropc.grant_type.disabled is set to true, ROPC is inactive and can’t be used to grant OAuth 2 tokens.

    Ensure that the glide.oauth.inbound.ropc.grant_type.disabled system property is set to true. If the property doesn’t exist on the System Properties [sys_properties] table, the default value is false. If this property exists on that table, it defaults to false.

    More information

    Attribute Description
    Configuration name glide.oauth.inbound.ropc.grant_type.disabled
    Configuration type System Properties (/sys_properties_list.do)
    Data type Boolean
    Recommended value true
    Default value false
    Fallback value false
    Category Authentication
    Security risk
    • Severity score: 3.3
    • CVSS score: Low
    • When the property is set to false, using ROPC to grant OAuth 2 tokens is allowed. ROPC is considered less secure that other authentication flows because the user's credentials are exposed to the application. This can lead to vulnerabilities in situations where the client is compromised and suffers from weaknesses similar to those of basic auth. OAuth 2.1 has deprecated ROPC.
    Functional impact

    When the property is set to true, ROPC is inactive and cannot be used to grant OAuth 2 tokens. This prevents any applications that are accessing the platform by granting OAuth 2 token using ROPC.
    Dependencies and prerequisites The OAuth 2.0 (com.snc.platform.security.oauth) plugin must be active.

    To learn more about adding or creating a system property, see Add a system property.