The grant type is how OAuth 2.0’s Authorization Server can process and verify that the Client Application is eligible for access to the Resource Server. There are 4 types of grant types that OAuth 2.0 defines in its spec:
- Authorization Code
- Resource Owner Password Credentials
- Client Credentials
In this tutorial, we will learn the details of each grant type!
With this grant type, the Client Application will request authorization code from Authorization Server and use it to confirm with the Resource Server to be able to use the resource it wants to use. Specifically, the grant type of the Authorization Code will take place as follows:
Grant type Authorization Code is often used when 3rd party applications need access to our system. We can refresh the token after a period of time to increase security.
OAuth 2.0 Security Best Current Practice recommends us to use this grant type with PKCE https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.1.1. You can see more about grant type Authorization Code with PKCE here.
This grant type is similar to the grant type Authorization Code for the most part, except that the Authorization Server will not return the authorization code for the Client Application, but will return the access token as soon as we login to the Authorization Server.
This means the token is not stored securely on the Client Application, now we can see the access token as well.
Specifically, the grant type process using Implicit will take place as follows:
OAuth 2.0 Security Best Current Practice advises us not to use this grant type https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.1.2, use grant type Authorization Code with PKCE instead!
Resource Owner Password Credentials
With this grant type, we have to trust the Client Application completely, because we will have to log in to the Client Application using the credentials in the Authorization Server. The Client Application will then capture our login information.
Only use this type of grant if it’s absolutely necessary, guys!
OAuth 2.0 Security Best Current Practice advises us not to use this grant type https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-13#section-3.4
This grant type is used for Client Applications that can get access tokens without going through the user. We will use a pair of client ID and client secret to do this.