This blog is second part of What is OAuth.
When a client applications want to access resource on a resource server, the client application must obtain authorization grant. Below are different approach to get Authorization Grant specified in OAuth 2.0.
- Client ID, Client Secret and redirect URLs :-
- Application registers with Authorization Server.
- Authorization Server provides client Id and Client Secret.
- If application registers with multiple authorization server, each will provide unique client Id and client secret.
- When resource owner authorizes client application successfully, it redirects to client application using redirect URI.
- Authorization Grant :- OAuth 2.0 lists 4 types of authorization grant as follows:
- Authorization code :- Used by a client like web server. The authorization code grant is used to obtain both access token and refresh tokens and is optimized for confidential clients. Since this is a redirection based flow the client must be capable for interacting with resource owners user-agent and capable of receiving redirect requests from authorization server. For example web browser.
- Implicit:- Used by client that cannot protect secret and tokens like SPA or mobile apps. In this mode the access token is returned when the user agent is redirected to the redirect URI. The client application in this case can only send client Id to authorization server. The user agent or native application would receive the access token from authorization server. It does not support issuance of refresh token.
- Resource Owner password:- Client or user doesn’t have access to browser. Possible use case is where user can type user name and password in the client application. The client application then uses user name and password to access resource. For example resource on Facebook or Twitter.
- Client credential:- Used if client application doesn’t need user consent to access a resource on the resource server. For example obtaining list of venues from Foursquare.
Detailed documentation of The Authorization Framework can be found here.