OAuth 2 Grant Types: A Story Guide

Open Authorization (OAuth 2) is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service.

The Story …

OAuth 2 Roles

  • Resource Owner (A.K.A User)
  • Client: An application making protected resource requests on behalf of the Resource Owner and with its authorization
  • Authorization Server: The server issuing Access Tokens to the Client after successfully authenticating the Resource Owner and obtaining authorization
  • Resource Server: The server hosting the protected resources

OAuth 2 Grant Types

  • Authorization Code Grant Type
  • Implicit Grant Type
  • Resource Owner Credentials Grant Type
  • Client Credentials Grant Type
  • Refresh Token Grant

Authorization Code Grant Type

GET (Authorization Endpoint)    ?response_type=code
&client_id={CLIENT ID}
&redirect_uri={REDIRECT URI}
&scope={SCOPES}
&state={STATE}
LOCATION : {REDIRECT URI}
?code={AUTHORIZATION CODE}
&state={STATE}
POST (Token Endpoint)
Authorization : Basic <BASE64({CLIENT ID}:{CLIENT SECRET})>
grant_type=authorization_code
&code={AUTHORIZATION CODE}
&redirect_uri={REDIRECT URI}
{
"access_token" : {ACCESS TOKEN},
"token_type" : {TOKEN TYPE >> Bearer},
"refresh_token" : {REFRESH TOKEN},
"expires_in" : {Lifetime in seconds}
}

Implicit Grant Type

GET (Authorization Endpoint)
?response_type=token
&redirect_uri={REDIRECT URI}
&scope={SCOPES}
&state={STATE}
LOCATION : {REDIRECT URI}
#access_token={ACCESS TOKEN}
&token_type={TOKEN TYPE >> Bearer}
&expires_in={EXPIRES IN}
&state={STATE}

Resource Owner Credentials Grant Type

This grant is great for trusted first party clients on both the web and in native device applications.

POST (Token Endpoint)
Authorization : Basic <BASE64({CLIENT ID}:{CLIENT SECRET})>
grant_type=password
&username={USERNAME}
&password={PASSWORD}
&scope={SCOPES}
{
"access_token" : {ACCESS TOKEN},
"token_type" : {TOKEN TYPE >> Bearer},
"expires_in" : {Lifetime in seconds},
"refresh_token" : {REFRESH TOKEN}
}

Client Credentials Grant Type

This grant flow is suitable for machine-to-machine authentication where a specific user’s permission to access data is not required.

POST (Token Endpoint)
Authorization : Basic <BASE64({CLIENT ID}:{CLIENT_SECRET})>
grant_type=client_credentials
&scope={SCOPES}
{
"access_token" : {ACCESS TOKEN},
"expires_in" : {Lifetime in seconds},
"token_type" : {TOKEN TYPE >> Bearer}
}

Refresh Token Grant

POST (Token Endpoint)
Authorization : Basic <BASE64({CLIENT ID}:{CLIENT SECRET})>
grant_type=refresh_token
refresh_token={REFRESH TOKEN}
scope={SCOPES}
{
"access_token" : {ACCESS TOKEN},
"refresh_token" : {REFRESH TOKEN},
"expires_in" : {Lifetime in seconds},
"token_type" : {TOKEN TYPE >> Bearer}
}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store