Two OAuth 2.0 grant type examples

OAuth 2.0 specifies four grant types. We only discuss the Authorization Code Grant and the Implicit Grant, as they are the most common and Airlock IAM supports both. We give a brief overview of these grants to illustrate their most common use case. Terms and definitions explains some OAuth 2.0 terms in more detail.

All supported OAuth 2.0 grant types and OIDC flows are listed in the overview table Supported features.

The Authorization Code Grant is usually used to delegate authorization from one web application to another.

The OAuth 2.0 RFC depicts the Authorization Code Grant as follows:

We give an example to illustrate this grant type.

0. Goal:

Delegate authorization to access Facebook (Authorization Server) pictures to Pinterest (Client).

1. The user (Resource Owner) navigates in her browser (User-Agent) to Pinterest (Client). Pinterest would like to display pictures contained in the user's Facebook account.
2. (A) Pinterest redirects the user to Facebook (Authorization Server), with a request saying that Pinterest (client_id) would like to access the user's pictures (scope).
3. (B) The user authenticates with Facebook and is asked if she would like to grant Pinterest access to her pictures. We assume the user grants access.
4. (C) Facebook sends a redirect containing an Authorization Code to Pinterest.
5. (D) Pinterest directly authenticates with Facebook and then uses the Authorization Code to obtain an Access Token (E).
6. Finally, Pinterest uses the Access Token to access the user's Facebook pictures.

The client credentials grant is used by clients to directly obtain an access token with the client's credentials and without a user's involvement.

0. Using the client credentials grant, follows these steps:
1. The client sends a request to the authorization server.
2. The server verifies the credentials supplied in the request.
3. Upon success, the authorization server issues an access token and sends it to the client in the response.