Oauth - Flow (Abstract Protocol Flow)



The abstract OAuth 2.0 flow describes the interaction between the four roles.


For each type of grant, you got a flow:

Type / Flow Description Client Type (Public / Private) Direction Type
authorization_code Redirection to an authorization server confidential (private, server) redirection
password_credentials Password Credential of the user via a login form confidential (private, server) direct
client_credentials Credential given by the client (app) confidential (private, server) direct
implicit Redirection to an authorization server public client (in browser app without web server) redirection

There is also the Device Authorization Grant for apps that don't have access to a web browser. ie used for headless apps, such as CLI tools.

Authorization Code

The Authorization Code grant type is optimized for confidential client (server app).

It's a a redirection-based flow used to obtain both:

Password Credentials

In the Resource Owner Password Credentials / Password Credentials Flow, the owner (user) gives its password credentials to the client (app).

Therefore, the resource owner (user) should have a trust relationship with the client (the app), such as the device operating system or a highly privileged application.

This flow is used generally to migrate existing clients:


  • This grant type is suitable for clients (apps) capable of obtaining the resource owner’s credentials (username and password, typically using an interactive form).
  • This is a fallback flow and should be used only when other flows are not viable.

Client Credentials

In a Client Credentials flow, the client can request an access token using only its client credentials (or other supported means of authentication) when the client is requesting access to the protected resources under its control, or those of another resource owner that have been previously arranged with the authorization server (the method of which is beyond the scope of this specification).

The client credentials grant type MUST only be used by confidential clients.


Implicit for Javascript Browser App (such as React, Vue, …)


Before initiating the protocol (flow), the client must register with the authorization server


The authorization request can be made:


Flow when the client requests authorization from the resource owner directly.

This is mostly the password credentials flow.

See the password credentials flow for the sequence


A indirect flow is preferable and asks authorization to the authorization endpoint (ie authorization server) as an intermediary (between the client and the resource owner).

An indirect flow is a redirection based flow.



A redirection-based flow means that in the flow, the client (app) and/or the authorization server endpoints send feedback and direct the resource owner's user-agent (the end-user browser) to another destination via http redirection

All Redirection-based flows are indirect.

Discover More
How does Single Sign-on (SSO) authentication work?

Single Sign-On (SSO, trusted sign-on) is the ability: to require a user to sign once and gain access to different applications. SSO is also known as: as Trusted sign-on or Multi-Domain Security...
In OAuth, what is the state query parameter known as Local State?

The state query parameter is an opaque value used by the client (app) in redirection flow to maintain the state between the and (response) (ie to restore or continue the navigation of the user). ...
OAuth - Implicit Grant and flow

The implicit grant is a grant type (flow) that issued directly an access token. (It does not support the issuance of refresh tokens). This grant type is called implicit, as no intermediate credentials...
OAuth - Resource Owner Password Credentials / Password Credentials Flow

This page is the authentication via the password credentials (ie login+password) in OAuth. This type of authentication is known in Oauth as: the Password Credentials Flow. the Resource owner password...
Oauth - Authorization Grant (Resource Owner Authorization|Authorization Credentials)

An Authorization Grant is a credential representing the resource owner's authorization to access its protected resources. The flow for each type of grant is expressed using grant type: one of four...
Oauth - Client (App)

client is one of the 4 roles of the Oauth specification. In its most basic form, it's a web site used by a end-user. In more details, it's is a (first-party or third party service application making...
Oauth - Role

OAuth defines four roles: The interaction between this roles is described in the flow. An end-user (resource owner) can grant a printing service (client) access to her protected photos...
Oauth 2.0 - Authorization framework

This section talks OAuth 2.0 (OAuth 2.0 replaces OAuth 1.0) The following two specifications provide a general framework for third-party applications (know as the client) to obtain and use limited...
Card Puncher Data Processing
Process - Sequence Diagram Viz

A Sequence diagram is an interaction diagram that shows how processes (ie protocol) operate with one another and in what order. They focus on the message interchange between participant materialized in...

Share this page:
Follow us:
Task Runner