It can be used by third party applications and systems.

And it can also be used by yourself, to debug, check and test the same application.

## The `password` flow { #the-password-flow }

Now let's go back a bit and understand what is all that.

The `password` "flow" is one of the ways ("flows") defined in OAuth2, to handle security and authentication.

    protected final InetSocketAddress remoteAddress;
    /** Local endpoint address */
    protected final InetSocketAddress localAddress;
    /** Available send credits for flow control */
    protected final AtomicInteger sendCredits;
    /** Available receive credits for flow control */
    protected final AtomicInteger receiveCredits;
    /** Queue of pending RDMA work requests */
    protected final BlockingQueue<RdmaWorkRequest> pendingRequests;

 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 */
package jcifs.internal.smb2.rdma;

/**
 * RDMA credit management for flow control.
 *
 * Credits are used to control the flow of messages between
 * RDMA peers to prevent buffer overflow.
 */
public class RdmaCredits {

    private int initialCredits;
    private int creditsGranted;

    /**

The most common is the implicit flow.

The most secure is the code flow, but it's more complex to implement as it requires more steps. As it is more complex, many providers end up suggesting the implicit flow.

/// note

It's common that each authentication provider names their flows in a different way, to make it part of their brand.

Am häufigsten ist der „Implicit“-Flow.

Am sichersten ist der „Code“-Flow, die Implementierung ist jedoch komplexer, da mehr Schritte erforderlich sind. Da er komplexer ist, schlagen viele Anbieter letztendlich den „Implicit“-Flow vor.

/// note | Hinweis

Now let's build from the previous chapter and add the missing parts to have a complete security flow.

## Get the `username` and `password` { #get-the-username-and-password }

We are going to use **FastAPI** security utilities to get the `username` and `password`.

OAuth2 specifies that when using the "password flow" (that we are using) the client/user must send a `username` and `password` fields as form data.

        SuggestCreator.Options options = new SuggestCreator.Options();
        assertNotNull(options);
    }

    // Test create and purge full flow
    public void test_createAndPurge_fullFlow() {
        // Test full flow of create and purge
        SuggestCreator.Options options = new SuggestCreator.Options();
        assertNotNull(options);
    }

    // Test system property setting

Create form parameters the same way you would for `Body` or `Query`:

{* ../../docs_src/request_forms/tutorial001_an_py39.py hl[9] *}

For example, in one of the ways the OAuth2 specification can be used (called "password flow") it is required to send a `username` and `password` as form fields.

The <abbr title="specification">spec</abbr> requires the fields to be exactly named `username` and `password`, and to be sent as form fields, not JSON.

    * HTTP Digest, usw.
* `oauth2`: Alle OAuth2-Methoden zum Umgang mit Sicherheit (genannt „Flows“).
    * Mehrere dieser Flows eignen sich zum Aufbau eines OAuth 2.0-Authentifizierungsanbieters (wie Google, Facebook, X (Twitter), GitHub usw.):
        * `implicit`
        * `clientCredentials`
        * `authorizationCode`

    * HTTP Digest, etc.
* `oauth2`: all the OAuth2 ways to handle security (called "flows").
    * Several of these flows are appropriate for building an OAuth 2.0 authentication provider (like Google, Facebook, X (Twitter), GitHub, etc):
        * `implicit`
        * `clientCredentials`
        * `authorizationCode`
    * But there is one specific "flow" that can be perfectly used for handling authentication in the same application directly: