Grant types in OAuth 2.0

The grant type is how OAuth 2.0’s Authorization Server can process and verify that the Client Application is eligible for access to the Resource Server. There are 4 types of grant types that OAuth 2.0 defines in its spec:

  • Authorization Code
  • Implicit
  • Resource Owner Password Credentials
  • Client Credentials

In this tutorial, we will learn the details of each grant type!


Authorization Code

With this grant type, the Client Application will request authorization code from Authorization Server and use it to confirm with the Resource Server to be able to use the resource it wants to use. Specifically, the grant type of the Authorization Code will take place as follows:

Grant types in OAuth 2.0

Grant type Authorization Code is often used when 3rd party applications need access to our system. We can refresh the token after a period of time to increase security.

OAuth 2.0 Security Best Current Practice recommends us to use this grant type with PKCE https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.1.1. You can see more about grant type Authorization Code with PKCE here.


Implicit

This grant type is similar to the grant type Authorization Code for the most part, except that the Authorization Server will not return the authorization code for the Client Application, but will return the access token as soon as we login to the Authorization Server.

This means the token is not stored securely on the Client Application, now we can see the access token as well.

Specifically, the grant type process using Implicit will take place as follows:

Grant types in OAuth 2.0OAuth 2.0 Security Best Current Practice advises us not to use this grant type https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.1.2, use grant type Authorization Code with PKCE instead!


Resource Owner Password Credentials

With this grant type, we have to trust the Client Application completely, because we will have to log in to the Client Application using the credentials in the Authorization Server. The Client Application will then capture our login information.
Grant types in OAuth 2.0

Only use this type of grant if it’s absolutely necessary, guys!

OAuth 2.0 Security Best Current Practice advises us not to use this grant type https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-13#section-3.4

Client Credentials

This grant type is used for Client Applications that can get access tokens without going through the user. We will use a pair of client ID and client secret to do this.

Add Comment