OAuth

OAuth 2.0

server-to-server: Client Credentials Flow

server-side app: Authorization Code Flow

SPA: Authorization Code Flow without Client Secret or Implicit Flow

mobile: Authorization Code Flow with PKCE(Proof Key for Code Exchange)

device without browser: Device Flow

★Grant Type

Authorization Code Used by a secure client like a web server

Implicit Used by an client that can't protect a client secret or a refresh token, e.g. a mobile app or a HTML5 single page app

Resource Owner Password Credentials Used when neither of the flows above works, e.g. if the user don't have access to a web browser

Client Credentials Used if the client app don't need user consent to access a resource

Authorization Code

Resource Owner Password Credentials

Auth code request

GET /authorize?response_type=code&client_id={yourClientId}&client_secret={yourClientSecret}

&redirect_uri={yourRedirectUri}&scope=openid HTTP/1.1

Host: server.example.com

Auth code response

HTTP/1.1 302 Found

{yourRedirectUri}?code={recievedAuthCode}&state=xyz

Access token request

POST /token HTTP/1.1

Host: server.example.com

Authorization: Basic dummy

Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&code={recievedAuthCode}&state=xyz

Access token request

POST /token HTTP/1.1

Host: server.example.com

Authorization: Basic dummy

Content-Type: application/x-www-form-urlencoded

grant_type=password&username={yourName}&password={yourPwd}&scope=abc

Access token response

HTTP/1.1 200 OK

Content-Type: application/json;charset=UTF-8

Cache-Control: no-store

Pragma: no-cache

{

"access_token":"...",

"token_type":"example",

"expires_in":3600,

"refresh_token":"..."

}

Client Credentials

Access token response

HTTP/1.1 200 OK

Content-Type: application/json;charset=UTF-8

Cache-Control: no-store

Pragma: no-cache

{

"access_token":"...",

"token_type":"Bearer",

"expires_in":3600,

"refresh_token":"..."

}

Refresh access token request

POST /token HTTP/1.1

Host: server.example.com

Authorization: Basic dummy

Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&refresh_token={recievedRefreshToken}&scope=abc

Refresh access token response

HTTP/1.1 200 OK

Content-Type: application/json;charset=UTF-8

Cache-Control: no-store

Pragma: no-cache

{

"access_token":"...",

"token_type":"Bearer",

"expires_in":3600

}

Access token request

POST /token HTTP/1.1

Host: server.example.com

Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&client_id={yourClientId}&client_secret={yourClientSecret}

Access token response

HTTP/1.1 200 OK

Content-Type: application/json;charset=UTF-8

Cache-Control: no-store

Pragma: no-cache

{

"access_token":"...",

"token_type":"Bearer",

"expires_in":3600,

"scope":"user.readonly"

}

★Token Type

Basic token

Bearer token

Message authentication code (MAC) token

JSON web token (JWT)