Recently we need to integrate our frontend spa with oauth(call third party apis), Need to figure out which grand type fit which use case.
The specification describes five grants for acquiring an access token:
- Authorization code grant
- Implicit grant
- Resource owner credentials grant
- Client credentials grant
- Refresh token grant
So most common is 1 and 2.
1 is for use case with a server which can store the client id/secret which can be used to authenticate the server app itself. The response after app auth will contain
refresh token that can be used to request new access tokens.
2 is good for client side app(browser) which cannot expose client id/secret in js obviously. As a result, it gets the access token directly. The drawback is no refresh token is available because client environment can not be trusted.
3 is for first party app which collects the username/password itself and get access token back.
4 is good for app to app so that the request just need to contain client id/secret, it will get access token back.
5 is obvious, just the use case in 1 if access token expires.
this post has more details
For the SPA there’s a new PKCE way which is a replacement for the implicit grant. So instead of granting the token directly, pkce will send a hashed string during requesting the
code and then send the real string while requesting the
token so that server can make sure that only the original sender has that
This post explained it.