Resource Owner Password Credentials Flow

Last updated: April 16, 2020

Introduction

OAuth 2.0

At Decathlon, we value the integrity and security of our members' data above all else.  In order for your applications to access Decathlon member data and/or act on their behalf, they must be Authenticated.  To make this process as easy as possible, Decathlon relies on the industry standard OAuth 2.0 protocol for granting access. 



The resource owner password credentials flow allows applications to obtain an access token from the authorization server by sending the user credentials (i.e, username and password). In this flow the user will not enter his credentials into a login page but directly to the application interface.
This flow is now deprecated and is omitted from the future specification.

Decathlon is not willing to support this deprecated flow

As mentioned above, this flow imply user to enter his credentials directly into the application, and means:

  • Users will not be able to consent access to his data. (scope validation)
  • Users will not benefit from our single sign on
  • Users are trained to enter their Decathlon credentials in places other than our login page
  • It increase the attack surface. Credentials can leak in more places than just the Login Server (storage, logs, ...)
  • We cannot efficiently prevent brute force attack, due to the lack of captcha or similar mechanism
  • Non approved mobile application could easily copy/use it, and even prepare some pishing campaign
  • We cannot ensure a common and singular login identity (UI/UX) among all the applications
  • The embedding of social provider must be done again by each applications, and means user will have to consent several time to give his social identity's access to Decathlon

OAuth 2 is a RFC stantard, you can fin the full documentation here
Terms & Services