Dualog Access - Getting Started (For Devs)


The first thing to determine is which grant or flow to use. This depends on the type of application and your evaluation of security risks.

Recommended grants to use on different application types:

Application Type Preferred Grant Type Alternative Grant Type
Native Resource Owner Password PKCE
Mobile PKCE Implicit Flow
Traditional Authorization Code -
Single-Page Web PKCE Implicit Flow
Machine-To-Machine Client Credentials -


Some important questions to ask:

  1. Where and how to enter username/password:
    • Provided in the application.
    • Redirect to web page supplied by the Identity Server.
  1. Do you have multiple applications and do you plan to implement a single sign-on?
  2. Are you planning to use Multi-factor authentication?
    • MFA is currently not supported by Dualog Access but will be supported in a later version.
  3. What does it take to change your applications?
  4. How is authentication implemented today, where are users stored, and do you foresee a major redesign?
  5. Other considerations to take?


Version 1.x of Dualog Access only supports this grant type. In a later version, other grant types will be supported as well.

The Resource Owner Password flow allows exchanging the username and password of a user for an access token.


  1. Ask the user for their credentials.
    • The first the application should do is to ask the user for their credentials.
  2. Exchange the credentials for an access token
    • The application must make a POST request to the Dualog Access service for an access token providing the credentials and client information.

Required POST parameters:

  • grant_Type - value must be “password” for this flow.
  • scope - One or more registered scopes. If not specified, a token for all explicitly allowed scopes will be issued. Available scopes: “OpenID”, “profile” and “email”
  • client_id - The client identifier. This will be provided by the organization owner. This value corresponds to the value configured for this application on Dualog Portal.
  • client_secret - This is a secret provided by the organization owner. This value corresponds to the value configured for this application on Dualog Portal.
  • username - The username provided by the user.
  • password - The password provided by the user.


curl -d "grant_type=password" \
-d "client_id=nameoftheclient" \
-d "client_secret=thesecret" \
-d "username=test%40test.com" \
-d "password=_password_" \

If the user-provided credentials are successfully authenticated, an access token will be returned from the Dualog Access service containing an access token:

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request



Article is closed for comments.