用户名-密码身份验证流可用于在身份验证，当用户拥有用户的凭据时。在这个流程中，用户的凭据由应用程序使用，用以请求一个访问令牌，如下列步骤中所示。

此oauth身份验证流来回传递用户凭据。仅当必要时，使用此身份验证流。没有刷新标记将发行。

1.The application uses the user’s username and password to request an access token. This is done via an out-of-band POST request to the appropriate Salesforce（客户管理系统） token request endpoint, such as https://login.salesforce.com/services/oauth2/token. The following request fields（字段） are required:

An example request body might look something like the following:

grant_type=password&client_id=3MVG9lKcPoNINVBIPJjdw1J9LLM82HnFVVX19KY1uA5mu0QqEWhqKpoW3svG3XHrXDiCQjK1mdgAvhCscA9GE&client_secret=1955279925675241571&username=testuser%40salesforce.com&password=mypassword123456

Salesforce verifies（验证） the user credentials, and if successful, sends a response to the application with the access token. This response contains the following values:

An example response body might look something like:

{"id":"https://login.salesforce.com/id/00Dx0000000BV7z/005x00000012Q9P","issued_at":"1278448832702","instance_url":"https://na1.salesforce.com","signature":"0CmxinZir53Yex7nE0TD+zMpvIWYGb/bdJh6XfOH6EQ=","access_token":"00Dx0000000BV7z!AR8AQAxo9UfVkh8AlV0Gomt9Czx9LjHnSSpwBMmbRcgKFmxOtvxjTrKW19ye6PE3Ds1eQz3z8jr3W7_VbWmEu4Q8TVGSTHxs"}

3.The application users the provided access token to access protected user data. Keep the Following considrations in mind when using the user-agent Oauth flow:

Since the user is never redirected to login at Salesforce in this flow, the user can’t directly authorize the application, so no refresh tokens can be used. If your application requires refresh tokens, you should consider using the Web server or user-agent OAuth flow.

转载自：http://www.salesforce.com/us/developer/docs/api_rest/Content/intro_understanding_username_password_oauth_flow.htm