The grant type is how OAuth 2.0’s Authorization Server can process and verify that the Client Application is eligible for access to the Resource Server. There are 4 types of grant types that OAuth 2.0 defines in its spec:
- Authorization Code
- Resource Owner Password Credentials
- Client Credentials
In this tutorial, we will learn the details of each grant type!
With this grant type, the Client Application will request authorization code from Authorization Server and use it to confirm with the Resource Server to be able to use the resource it wants to use. Specifically, the grant type of the Authorization Code will take place as follows:
Grant type Authorization Code is often used when 3rd party applications need access to our system. We can refresh the token after a period of time to increase security.
This grant type is similar to the grant type Authorization Code for the most part, except that the Authorization Server will not return the authorization code for the Client Application, but will return the access token as soon as we log in to the Authorization Server.
This means the token is not stored securely on the Client Application, but now we can see the access token as well.
Specifically, the grant type process using Implicit will take place as follows:
Resource Owner Password Credentials
With this grant type, we have to trust the Client Application completely, because we will have to log in to the Client Application using the credentials in the Authorization Server. The Client Application will then capture our login information.
Only use this type of grant if it’s absolutely necessary, guys!
This grant type is similar to the grant type Resource Owner Password Credentials but here, the user does not use the resources that belong to this user but other users.