There are four different flows for OAuth 2.0:
- Authorization Code Grant (a.k.a. Three-legged OAuth)- client calls OAuth server two times; first time for requesting Authorization Code and second time for requesting Access Token. This is the default flow and the most secured one.
- Client Credential Grant (a.k.a. Two-legged OAuth) - client calls OAuth server at token endpoint and get an access token without authorization. This is usually for accessing non-user-specific resources.
- Resource Owner Password Credential Grant - in case resource owner trust and can give the password to the client so it can get the access token directly from the OAuth server