OAuth 2 Grant Types

txt.fliglio.com

(hit up, down, left, right to navigate, esc for overview)

Authorization Code Grant

  • Closest to OAuth 1.0
  • Typical workflow with webapp where services are provided on the same host as the ui
  • Use Refresh Token to prevent long lived Access Token or constant re-authorization of client

Resource Owner requests something of the Client

Client directs the Resource Owner's user-agent to the Authorization Endpoint

Included in redirect - Client identifier, Scope request, local state, callback URI

Authorization Server authorizes Resource Owner and validates Scope

Authorization Server redirects the user-agent back to the Client using the callback URI

Included in redirect - Authorization Code, local state passed from Client

Client requests an Access Token from the Auth Server.
Auth Server authenticates Client

Included in Request - Client authentication, Auth Code, callback URI for verification

Included in Response - Access Token, optional Refresh Token

Client uses Access Token to retreive Protected Resource

Implicit Grant

  • All client side so skip authenticating client
  • Client id and host in callback provide some security

Resource Owner requests something of the Client

Client directs the resource owner's user-agent to the Authorization Endpoint

Included in redirect - Client identifier, Scope request, local state, callback URI

Authorization Server authorizes Resource Owner and validates Scope

Authorization Server redirects the user-agent back to the Client using the callback URI

Included in redirect - Access Token

Client uses Access Token to retreive Protected Resource

Resource Owner Credentials

  • Only for very trusted applications because client collects user credentials
  • "The authorization server should take special care when enabling this grant type and only allow it when other flows are not viable." -ietf.org

Resource Owner requests something of the Client

Included in Request - resource owner login and password

Client uses Resource Owner credentials to get an Access Token

Included in Request - client authentication, resource owner login and password

Included in Response - access token

Client uses access token to retreive Protected Resource

Client Credentials

  • Use only with very trusted clients
  • Relies fully on Client authentication
  • Useful for "in network" services/resources which need access to other "in network" services/resources

Client uses Client Authentication to obtain an Access Token

Included in Request - Client authentication

Included in Response - Access Token

Client uses Access Token to retreive Protected Resource