OAuth
OAuth 2.0
server-to-server: Client Credentials Flow
server-side app: Authorization Code Flow
SPA: Authorization Code Flow without Client Secret or Implicit Flow
mobile: Authorization Code Flow with PKCE(Proof Key for Code Exchange)
device without browser: Device Flow
★Grant Type
Authorization Code Used by a secure client like a web server
Implicit Used by an client that can't protect a client secret or a refresh token, e.g. a mobile app or a HTML5 single page app
Resource Owner Password Credentials Used when neither of the flows above works, e.g. if the user don't have access to a web browser
Client Credentials Used if the client app don't need user consent to access a resource
Authorization Code
Resource Owner Password Credentials
Auth code request
GET /authorize?response_type=code&client_id={yourClientId}&client_secret={yourClientSecret}
&redirect_uri={yourRedirectUri}&scope=openid HTTP/1.1
Host: server.example.com
Auth code response
HTTP/1.1 302 Found
{yourRedirectUri}?code={recievedAuthCode}&state=xyz
Access token request
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic dummy
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code={recievedAuthCode}&state=xyz
Access token request
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic dummy
Content-Type: application/x-www-form-urlencoded
grant_type=password&username={yourName}&password={yourPwd}&scope=abc
Access token response
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"...",
"token_type":"example",
"expires_in":3600,
"refresh_token":"..."
}
Client Credentials
Access token response
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"...",
"token_type":"Bearer",
"expires_in":3600,
"refresh_token":"..."
}
Refresh access token request
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic dummy
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token={recievedRefreshToken}&scope=abc
Refresh access token response
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"...",
"token_type":"Bearer",
"expires_in":3600
}
Access token request
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id={yourClientId}&client_secret={yourClientSecret}
Access token response
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"...",
"token_type":"Bearer",
"expires_in":3600,
"scope":"user.readonly"
}
★Token Type
Basic token
Bearer token
Message authentication code (MAC) token
JSON web token (JWT)