oauth grant types

Recently we need to integrate our frontend spa with oauth(call third party apis), Need to figure out which grand type fit which use case.

The specification describes five grants for acquiring an access token:

  1. Authorization code grant
  2. Implicit grant
  3. Resource owner credentials grant
  4. Client credentials grant
  5. Refresh token grant

So most common is 1 and 2.

1 is for use case with a server which can store the client id/secret which can be used to authenticate the server app itself. The response after app auth will contain refresh token that can be used to request new access tokens.

2 is good for client side app(browser) which cannot expose client id/secret in js obviously. As a result, it gets the access token directly. The drawback is no refresh token is available because client environment can not be trusted.

3 is for first party app which collects the username/password itself and get access token back.

4 is good for app to app so that the request just need to contain client id/secret, it will get access token back.

5 is obvious, just the use case in 1 if access token expires.


this post has more details

For the SPA there’s a new PKCE way which is a replacement for the implicit grant. So instead of granting the token directly, pkce will send a hashed string during requesting the code and then send the real string while requesting the token so that server can make sure that only the original sender has that real string.

This post explained it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s