OAuth 2.0 grant types

OAuth 2.0 specifies four grant types. This article only discusses the Authorization Code grant type and the Client Credentials grant type, as these are the most common types. We give a brief overview of these grants to illustrate their most common use case. Terms and definitions explains some OAuth 2.0 terms in more detail.

 
Info

All supported OAuth 2.0 grant types and OIDC flows are listed in the overview table on OAuth 2.0 and OpenID Connect (OIDC) overview.

Overview of Authorization Code grant

The Authorization Code grant securely grants a client application access to protected resources on behalf of a user while keeping sensitive credentials safe from exposure.

The OAuth 2.0 RFC depicts the Authorization Code grant as follows:

Example:

  1. Goal: Use Facebook as an Authorization Server to authorize access to pictures to Pinterest (Client).

  2. The user (Resource Owner) navigates in her browser (User-Agent) to Pinterest (Client). Pinterest would like to display pictures contained in the user's Facebook account.
    This step is not part of the Authorization Code grant.
  3. (A) Pinterest (client) opens a browser window for the user. The URL points to Facebook (Authorization Server), with a request saying that Pinterest (client_id) would like to access the user's pictures (scope). This request contains a redirect URL.
  4. (B) The user authenticates with Facebook and is asked if she would like to grant Pinterest access to her pictures (consent). We assume the user grants access.
  5. (C) Facebook instructs the browser to redirect to the client (this is the redirect URL from step 2). This redirect also contains the Authorization Code. The browser window is now closed and control is back with the client (Pinterest)
  6. (D) Pinterest makes an authenticated REST call (client authentication) to Facebook (authorization server) to exchange the Authorization Code for an Access Token (E).
  7. Finally, Pinterest uses the Access Token to access the user's Facebook pictures.

Overview of Client Credentials grant

The Client Credentials grant allows a client application to obtain an access token to access protected resources on its own behalf. This is typically used in machine-to-machine authentication without user involvement.

The OAuth 2.0 Client Credentials Grant plugin supports the following features:

  • Configurable issuer (iss) and audience (aud) claims.
  • Configurable scope policies and granted scope processors.
  • Configurable signature on the access token.

For the Client Credentials grant, only limited features of the OAuth 2.0 Static Client plugin can be used:

  • Configuration of the Basic Settings, including the Client ID, Redirect URIs and Always Granted Scopes properties.
  • Configuration of the Authentication Settings.
 
Functional limitation

The Client Credentials grant has the following known limitations:

  • It is impossible to add custom claims.
  • Token revocation and introspection are not supported.
  • Opaque tokens are not supported.