When and which OAuth2 Grant Type Flow should I use ?
OAuth2.0 protocol is widely used for authorising different types of applications. If you are a beginner and confused between the different grant types and when to use which grant type flow, this will help you understand the basic oauth2 grant types and choose the right one for your application.
What is authorisation?
Authorisation means giving permission or grant rights to access a resource. It helps to secure the resources and are available to only those who have the permission. For example, a key to your house is one way of securing your things. You decide to whom do you want to give the permission(key) to enter in the house. Likewise to access any data of our application you need to give permission and only those users/systems can access the data.
Authorization Code Grant Type:
When your application has a server and client interface it is advised to go with this flow since it is the most secure one. If the user is not authenticated then it redirects to the login screen where user provides username and password. After successful authentication the authorization server redirects with a code. This code is then used to get the authorization details of the user. Since the token is received in 2 steps and the token is requested and received by your server side it is more secure.
Implicit Grant Type:
When your application has only client interface and no server then you can go with this grant type. After successful authentication the authorization server redirects with authorization token. The token is directly received at client side.
Password Grant Type:
If your application can’t use the login screen that is provided by the OAuth2 provider but requires user authorization then it is advised to go with this grant type. The username and password must be provided to the API in order to get the access token.
Client Credentials Grant Type:
When your application is only server side and does not require user based access then a token is provided for your application which can be used to access the resources. The client id and client secret must be provided to the API in order to get the access token for your application.
For more details please visit https://datatracker.ietf.org/doc/html/rfc6749
