We want to provide access for customers to certain data via the API using the resource owner password credentials flow. We can successfully login to get a token if the login type is UI or unrestricted, but we need to limit the user to API so they can’t login directly through the UI. Is this possible?
Details
- The first screenshot shows the normal token request when the username has a login type of UI or unrestriced.
- The second screenshot we limit the user type to API only
- The third screenshot shows how the same Postman request from #1 now provides an error that only API requests are available for the user.
Is it not possible to lock the user account down to only allow API access but also get a token?