OAuth Flows


There are four different flows for OAuth 2.0:

  1. Authorization Code Grant (a.k.a. Three-legged OAuth)- client calls OAuth server two times; first time for requesting Authorization Code and second time for requesting Access Token. This is the default flow and the most secured one.
  2. Implicit Grant - client calls OAuth server at authorization endpoint only once and get an access token immediately. This is usually for clients which cannot securely store secrets and tokens e.g. client-side JavaScript application. Token created from this flow usually has a shorter validity.
  3. Client Credential Grant (a.k.a. Two-legged OAuth) - client calls OAuth server at token endpoint and get an access token without authorization. This is usually for accessing non-user-specific resources.
  4. Resource Owner Password Credential Grant - in case resource owner trust and can give the password to the client so it can get the access token directly from the OAuth server