Table of Contents

About

The abstract OAuth 2.0 flow describes the interaction between the four roles.

Type

For each type of grant, you got a flow:

Type / Flow Description Client Type (Public / Private) Direction Type
authorization_code Redirection to an authorization server confidential (private, server) redirection
password_credentials Password Credential of the user via a login form confidential (private, server) direct
client_credentials Credential given by the client (app) confidential (private, server) direct
implicit Redirection to an authorization server public client (in browser app without web server) redirection

There is also the Device Authorization Grant for apps that don't have access to a web browser. ie used for headless apps, such as CLI tools.

Authorization Code

The Authorization Code grant type is optimized for confidential client (server app).

It's a a redirection-based flow used to obtain both:

Password Credentials

In the Resource Owner Password Credentials / Password Credentials Flow, the owner (user) gives its password credentials to the client (app).

Therefore, the resource owner (user) should have a trust relationship with the client (the app), such as the device operating system or a highly privileged application.

This flow is used generally to migrate existing clients:

Characteristics:

  • This grant type is suitable for clients (apps) capable of obtaining the resource owner’s credentials (username and password, typically using an interactive form).
  • This is a fallback flow and should be used only when other flows are not viable.

Client Credentials

In a Client Credentials flow, the client can request an access token using only its client credentials (or other supported means of authentication) when the client is requesting access to the protected resources under its control, or those of another resource owner that have been previously arranged with the authorization server (the method of which is beyond the scope of this specification).

The client credentials grant type MUST only be used by confidential clients.

Implicit

Implicit for Javascript Browser App (such as React, Vue, …)

Prerequisites

Before initiating the protocol (flow), the client must register with the authorization server

Steps

The authorization request can be made:

Direct

Flow when the client requests authorization from the resource owner directly.

This is mostly the password credentials flow.

See the password credentials flow for the sequence

Indirect

A indirect flow is preferable and asks authorization to the authorization endpoint (ie authorization server) as an intermediary (between the client and the resource owner).

An indirect flow is a redirection based flow.

List:

Redirection-based

A redirection-based flow means that in the flow, the client (app) and/or the authorization server endpoints send feedback and direct the resource owner's user-agent (the end-user browser) to another destination via http redirection

All Redirection-based flows are indirect.