I am using the "/services/oauth2/token" end point with grant_type "password" (and with client_id, client_secret, username, password) from JavaScript code. With "IP Restrictions" set to "Relax IP restrictions" in the "Connected App" definition, this allows me to obtain an access_token by just supplying the username and password (no security token) which is good.
However, while this code works for a "System Administrator" profile user ("Salesforce" license), the same code does not work for a "High Volume Customer Portal" profile user ("High Volume Customer Portal" license); the latter profile has "API Enabled" checked. The error returned in that case is:
{"error_description":"expired access/refresh token","error":"invalid_grant"}
Is this a license type issue or have I just got some other inconsistency between the two users that is causing the problem?
(There is a mention of username/password in a comment in OAuth for Portal Users but it is rather brief.)
Best Answer
OAuth username-password for Portal/Communities users is not possible.
The usual approach to authenticating users to Salesforce in a mobile app is to pop up a webview with the OAuth user agent login URL and watch for the final redirect to the 'success' URL. I got this working with the PhoneGap ChildBrowser plugin a while ago; things have changed a lot in PhoneGap since then, but that shows the general approach.
On the other hand, if you REALLY want to do username/password, you can do SOAP login against the portal using LoginScopeHeader.
In general, the web-based login is preferred, since it will handle SSO from enterprise identity providers, Facebook, Google etc.